Design and develop secured oracle applications
Download as PPT, PDF0 likes247 views
This document discusses securing Oracle applications from SQL injection vulnerabilities. It begins by explaining the risks of SQL injection and demonstrating an example. It then discusses the impacts of SQL injection, including bypassing authentication, information disclosure, information tampering, and database corruption. The document provides recommendations for secure coding practices like using bind variables with dynamic SQL, input validation, error handling without sensitive details, and the DBMS_ASSERT package. It emphasizes following best practices like "security by design" to develop securely.
Design and develop secured oracle applications
- 1. Design & Develop Secured Oracle Applications Oded Raz, Oracle ACE Director Brillix LTD
- 2. 2 Agenda • Security Risks • SQL Injection – Overview • SQL Injection - Demo • DBMS_ASSERT • Error Handling • Secured By Design
- 3. 3 Vulnerabilities By Industry – 2010
- 4. 4 Top Web Site Vulnerabilities - 2010
- 5. What is SQL Injection • SQL injection happens when an application fails to filter SQL syntax from user- controllable input. • The user input is used in the construction of dynamic SQL statements • The user input then affects the execution of the dynamically generated SQL statement
- 6. SQL Injection – Demo ‘ or ‘k’=‘k
- 7. 11 Impact of SQL Injection Bypassing authentication mechanisms select id from users where name=‘admin’ and password=‘’ or ‘1’=‘1’ Information disclosure select phone from users where name=‘’ UNION select credit_num from users --’ Information tampering select id from clients where name=‘’; update clients set debt=0; --
- 8. 12 Impact of SQL Injection Database corrupting select usr_id from clients where name=‘’; drop table clients;-- Command execution select picture from animals where name=‘‘;EXEC master.dbo.xp_cmdshell 'format /y c:’
- 9. SQL Injection - Sources Web Pages : ● JSP ● ASP ● PHP PL / SQL Java .Net
- 10. What to Look for : Dynamic SQL ● EXECUTE IMMEDIATE (PL/SQL) ● DBMS_SQL package (PL/SQL) ● PreparedStatement (Java) Input not being sanitized Unhandled Errors
- 11. EXECUTE IMMEDIATE CREATE OR REPLACE PROCEDURE odtug (name IN VARCHAR2) IS sql VARCHAR2; code VARCHAR2; BEGIN ... sql := 'SELECT salary FROM emp WHERE name = ''' || name || ''''; EXECUTE IMMEDIATE sql INTO code; ... END; sql := 'SELECT salary FROM emp WHERE name = :name'; EXECUTE IMMEDIATE sql USING name INTO code; Use Bind Variables
- 12. DBMS_SQL CREATE OR REPLACE PROCEDURE kscope(name IN VARCHAR2) IS dyn_cursor INTEGER; rows_processed INTEGER; sql VARCHAR2(150); code VARCHAR2(2); BEGIN sql := 'SELECT salary FROM emp WHERE name = ''' || name || ''''; dyn_cursor := dbms_sql.open_cursor; DBMS_SQL.PARSE(dyn_cursor , sql, DBMS_SQL.NATIVE); DBMS_SQL.DEFINE_COLUMN(dyn_cursor , 1, code, 10); rows_processed := DBMS_SQL.EXECUTE(dyn_cursor); DBMS_SQL.CLOSE_CURSOR(dyn_cursor); END; sql := 'SELECT postal-code FROM states WHERE state-name = :name'; dyn_cursor := dbms_sql.open_cursor; DBMS_SQL.PARSE(dyn_cursor, sql, DBMS_SQL.NATIVE); DBMS_SQL.DEFINE_COLUMNdyn_cursor, 1, code, 10); DBMS_SQL.BIND_VARIABLE(dyn_cursor, ':name', name); rows_processed := DBMS_SQL.EXECUTE(dyn_cursor); DBMS_SQL.CLOSE_CURSOR(dyn_cursor); Use Bind Variables
- 13. Dynamic Cursors CREATE OR REPLACE PROCEDURE kscop(address IN VARCHAR2) IS sql VARCHAR2; BEGIN sql := 'SELECT * FROM emp WHERE address = ''' || address || ''''; OPEN crs_emp FOR sql; LOOP FETCH crs_emp INTO rec_state EXIT WHEN crs_emp %NOTFOUND; END LOOP; CLOSE crs_emp; END; Avoid using Dynamic Cursors use EXECUTE IMMEDIATE / DBMS_SQL with bind variables Instead
- 14. JDBC - PreparedStatement String name = request.getParameter("name"); PreparedStatement pstmt = conn.prepareStatement("insert into EMP (ENAME) values ('" + name + "')"); pstmt.execute(); pstmt.close(); PreparedStatement pstmt = conn.prepareStatement ("insert into EMP (ENAME) values (?)"); String name = request.getParameter("name"); pstmt.setString (1, name); pstmt.execute(); pstmt.close();
- 15. 19 DBMS_ASSERT • ENQUOTE_LITERAL - Encloses the string literal within single quotation marks. sql_stmt constant varchar2(32000) := ' SELECT count(*) FROM emp where dept_name='''|| dept_parm ||''''; literal varchar2(1024):= '''|| dept_parm ||'''; sql_stmt constant varchar2(32000) := ' SELECT count(*) FROM emp where dept_name= ‘ || SYS.DBMS_ASSERT.ENQUOTE_LITERAL(literal);
- 16. 20 DBMS_ASSERT • SIMPLE_SQL_NAME - Verifies that the string is a simple SQL name. sql_stmt constant varchar2(32000) := ‘SELECT ‘||p_col ||’ FROM ‘|| p_tab; sql_stmt constant varchar2(32000) := ‘SELECT ‘ || SYS.DBMS_ASSERT.SIMAPLE_SQL_NAME(p_col) ||’ FROM ‘|| SYS.DBMS_ASSERT.SIMAPLE_SQL_NAME(p_tab);
- 17. 21 Error Handling Do not enclose valuable information, it can be used to orchestrate as attack. EXCEPTION WHEN OTHERS THEN dbms_output.put_line('No Data Found');
- 18. 22 Defense = Security By Design • Use Bind Arguments • Error Handling – Do not enclose valuable information • Input Validation • Use DBMS_ASSERT • Always validate HTML Fields / Parameters • Carefully inspect dynamic SQL and filter parameters • Use fully qualified name when calling packages.
- 19. Q & A Exploits of a mom – XKCD – Randall Munroe
- 20. Design & Develop Secured Oracle Applications Please Fill Out Your Evaluations Oded Raz, Oracle ACE Director Brillix LTD
Editor's Notes
- #2: This is your opening slide.
- #3: Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
- #4: Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
- #5: Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
- #6: Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
- #7: Use this template for all your content slides. There are also other layout slides you can feel free to use.
- #11: Use this template for all your content slides. There are also other layout slides you can feel free to use.
- #12: Bypassing Authentication – A record is searched for with the supplied user name and password. If it is found (i.e. the query returns something other than an empty set), the authentication is considered successful. By injecting, the query is altered to always return something, since the ‘1’=‘1’ clause is added which always evaluates to TRUE. Therefore login will always succeed.
- #13: Bypassing Authentication – A record is searched for with the supplied user name and password. If it is found (i.e. the query returns something other than an empty set), the authentication is considered successful. By injecting, the query is altered to always return something, since the ‘1’=‘1’ clause is added which always evaluates to TRUE. Therefore login will always succeed.
- #14: Use this template for all your content slides. There are also other layout slides you can feel free to use.
- #20: Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
- #21: Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
- #22: Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
- #23: Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
- #25: This is the final slide of the presentation.