Slavik has a nice post on his blog (picked up from my Oracle blogs aggregator) titled "Blind SQL Injection in Oracle". This is a nice article that discusses SQL Injection types with nice examples for Oracle and also talks a bit about blind SQL Injection and the use of timeouts. Slavik asks if using timeouts with blind SQL Injection is a valid technique; well yes it is. Chema Alonso talked about this a couple of years ago in a paper he wrote on the Microsoft Website using SQL Server as the example. I mentioned this paper in my SQL Server Security blog (which unfortunately I have not had much time to update recently). Chema also links to the previous work by Chris Anley, David Litchfield (on Oracle as well) and others in the same area.
I also came across a paper for the CIPFA CATS Information Technology Seminar written and presented by Lindsay Hamilton titled "How Secure Are Your Personal Details?". This is quite a nice paper (beware its MS PPT not pdf) covering Data auditing and monitoring from a high level and also security assessment.
SQL Injection and a presentation on data security
There has been 1 Comment posted on this article
October 14th, 2009 at 02:46 pm
Pete Finnigan says:
Pete,
I think Slavik forgot to add [in Oracle] to his question "Is using timeouts as delays for blind SQL injection [in Oracle] a usable technique"
Slavik knows that timeouts in MSSQL is not a problem and he knows this technique. But have you ever seen a working example of blind sql injection using timeouts in Oracle? I am not aware of such an example but would be happy to find one.
And the presentation from Chema Alonso is about time-based (aka heavy queries) and not timeout-based blind sql injection. Chema mentions dbms_lock from Oracle but this normally can't be used in SQL queries (because it's a procedure and not a function).
Using a PL/SQL bug in dbms_export_extension could be used to inject dbms_lock.sleep, but this only works if the database is not patched properly.
Alex