Oracle Techniques Oracle staffers did an audit and penetration test on our code when they received it and were satisfied with the parameter validation and user authentication code we had written.First, they configured the copy of Apache HTTP Server that is included with Oracle9i Application Server as well as the application server itself to display the same generic error page whenever any kind of error is encountered. This way, crackers probing for application flaws dont get any information-rich error messages that might hint where they should direct future activities. Second, Oracle staff added an HTML sanitization routine to outgoing e-mail content to prevent a form of server-side scripting attack through e-mail. Since many e-mail clients automatically render HTML tags, e-mail becomes one more attack vector if it includes any user-supplied data. Third, Oracle wrote a stored procedure that controls access to credit card and user account password data. The stored procedure uses the Triple Data Encryption Standard encryption routines shipped with Oracles database to ensure that this data is stored on disk in encrypted form. "Its more difficult to invoke a PL/SQL procedure because you have to know the parameters," said John Abel, in Reading, England, the Oracle consultant who wrote the application. "It protects against SQL injection as well as a [database administrator] having a look around." Abel also used Oracle9i Databases stored procedure wrap function to obfuscate the source code of the stored procedure itself, so that anyone who was able to access the database wouldnt be able to view the encryption code. Abel also used Oracle9i Databases stored procedure wrap function to obfuscate the source code of the stored procedure itself, so that anyone who was able to access the database wouldnt be able to view the encryption code. The Oracle test application can be accessed at www.oracle.openhack.com/openhack/index.jsp.
They made three other important security changes to the application.