Oracle Techniques

 
 
By Timothy Dyck  |  Posted 2002-10-14 Print this article Print
 
 
 
 
 
 
 


Oracle Techniques

Oracle staffers did an audit and penetration test on our code when they received it and were satisfied with the parameter validation and user authentication code we had written.

They made three other important security changes to the application.

First, they configured the copy of Apache HTTP Server that is included with Oracle9i Application Server as well as the application server itself to display the same generic error page whenever any kind of error is encountered. This way, crackers probing for application flaws dont get any information-rich error messages that might hint where they should direct future activities.

Second, Oracle staff added an HTML sanitization routine to outgoing e-mail content to prevent a form of server-side scripting attack through e-mail. Since many e-mail clients automatically render HTML tags, e-mail becomes one more attack vector if it includes any user-supplied data.

Third, Oracle wrote a stored procedure that controls access to credit card and user account password data. The stored procedure uses the Triple Data Encryption Standard encryption routines shipped with Oracles database to ensure that this data is stored on disk in encrypted form. "Its more difficult to invoke a PL/SQL procedure because you have to know the parameters," said John Abel, in Reading, England, the Oracle consultant who wrote the application. "It protects against SQL injection as well as a [database administrator] having a look around."

Abel also used Oracle9i Databases stored procedure wrap function to obfuscate the source code of the stored procedure itself, so that anyone who was able to access the database wouldnt be able to view the encryption code.

Abel also used Oracle9i Databases stored procedure wrap function to obfuscate the source code of the stored procedure itself, so that anyone who was able to access the database wouldnt be able to view the encryption code. The Oracle test application can be accessed at www.oracle.openhack.com/openhack/index.jsp.


 
 
 
 
Timothy Dyck is a Senior Analyst with eWEEK Labs. He has been testing and reviewing application server, database and middleware products and technologies for eWEEK since 1996. Prior to joining eWEEK, he worked at the LAN and WAN network operations center for a large telecommunications firm, in operating systems and development tools technical marketing for a large software company and in the IT department at a government agency. He has an honors bachelors degree of mathematics in computer science from the University of Waterloo in Waterloo, Ontario, Canada, and a masters of arts degree in journalism from the University of Western Ontario in London, Ontario, Canada.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel