Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle 11i and SSO"] [Next entry: "Using JAZN LDAP for security in Portal"]

Some good SQL Injection links

I saw a post on Eddie's blog yesterday that has links to 4 SQL Injection papers. The SQL Injection papers post can be found here. SQL Injection is a fact of life nowadays and the security spectrum now seems to focus on one type of interpreter injection method or another. The security of data has moved center stage and the old firewall based security whilst still valid has moved to the wings. Hackers, whatever type, criminal or not seem to focus on data and seem to use sequenced or merged attacks that use techniques like SQL Injection. This means that even if your database is held inside your organisation and is behind multiple firewalls, maybe even not directly accessible externally it could still be attacked. I like to think of techniques like SQL Injection when used "very" creatively is like trying to paint your living room whilst stood in the street and using the front door keyhole as the only access BUT the paint is applied as though you are using a 3 foot wide paint roller. I was at Blackhat in Las Vegas a couple of months ago and was quite excited to hear a presentation that demonstrated how a PC on an internal IP address could be controlled externally using Javascript and iFrames or AJAX. This was so cool. If you are a DBA, developer or anyone implementing Oracle think about SQL Injection, cross site scripting, scripting in general and dont think you are secure just because an application doesnt use the web!