1.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
How to Hack Your App
Using SQL
Chris Saxon, Oracle Developer Advocate, @ChrisRSaxon, @SQLDaily
www.youtube.com/c/TheMagicofSQL
blogs.oracle.com/sql
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

2.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
It's2018!
...do we really need to talk about this?
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

3.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
https://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

4.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

5.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
http://www.bbc.co.uk/news/technology-34963686
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

6.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/10/talktalk-gets-record-
400-000-fine-for-failing-to-prevent-october-2015-attack/
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

7.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
SQL Vulnerabilities
Wordpress Jan 2017
https://wordpress.org/news/2017/01/wordpress-4-7-2-security-release/
Jul 2017
https://www.scmagazineuk.com/sql-injection-vulnerability-found-in-popular-wordppress-plug-in-again/article/672839/
Oct 2017
https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

8.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
codecurmudgeon.com/wp/sql-injection-hall-of-shame/
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

9.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
https://haveibeenpwned.com/

10.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
DEMO
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

11.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

12.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

13.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

14.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Principle of
Least
Privilege
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

15.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Least Privilege

16.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Least Privilege

17.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
Least Privilege
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

18.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Data
Red*****n
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

19.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Data
Red*****n
Can still
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

20.
Use Bind Variables!
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

21.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users
where username = '" + name + "'
and password = '" + pass + "'";
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

22.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = 'chris'
and password = 'chris';
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

23.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = '' or 1 = 1 --'
and password = 'chris';
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

24.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = '' or 1 = 1 --'
and password = 'chris';
Always
true!
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

25.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = 'chris'
and password = '' union all
select owner || '.' || table_name
from all_tables where 1='1';
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

26.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
select full_name from users
where username = 'chris'
and password = '' union all
select owner || '.' || table_name
from all_tables where 1='1';
Everything you
can select
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

27.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users
where username = ?
and password = ?";
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

28.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users
where username = ?
and password = ?";
Value
placeholder
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

29.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users
where username = ?
and password = ?";
Value
placeholder
Inputs never part of SQL =>
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

30.
PL/SQL is
automatically bound
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

31.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
begin
select *
into user_rec
from sqlinjection.users u
where u.username = l_name
and u.password = l_pass;
end;
These are
bind variables
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

32.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
execute
Pixabay
Least Privilege
plsql f (x)
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

33.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
I write dynamic
SQL
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

34.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
String sql =
"select * from users where 1 = 1 ";
if param_1 is not null then
sql = sql + " and c1 = ? ";
end if;
if param_2 is not null then
sql = sql + " and c2 = ? ";
end if;
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
can still bind

35.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
…but I accept
identifiers
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

36.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Sanitize input!
Pixabay
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

37.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Sanitize input!
Pixabay
DBMS_assert
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

38.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Change User Passwords
execute immediate 'alter user ' ||
dbms_assert.schema_name ( user ) ||
' identified by "' ||
replace(
dbms_assert.enquote_literal ( pass ), ''''
) || '"';
Can't have single
quotes (') in password!
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

39.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
I develop an
internal app
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

40.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Gratisography
employees
can has
your dataz?
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

41.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
How secure is
your network?
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

42.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 42
Web Browser Web Server Database
SSL
TDE
Encryption
here is
overkill,
right?
Transparent
Data
Encryption?
SSL?

43.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 43

44.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 44
Web Browser Web Server Database
SSL
TDE
Native
Encryption
See doc for more details

45.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
I don't have time
to review all
code

46.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Test
Deploy
Build
Run sqlmap
Test in CI/CD Process

47.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Virtual Private Database
Restrict access at source
Employee Name Manager Name Salary SSN
Kevin Mourgos Steven King 5800 650-123-5234
Shanta Vollman Steven King 6500 650-123-4234
Payam Kaufling Steven King 7900 650-123-3234
Adam Fripp Steven King 8200 650-123-2234
Matthew Weiss Steven King 8000 650-123-1234
Girard Geoni Matthew Weiss 2800 650-507-9879
Martha Sullivan Matthew Weiss 2500 650-507-9878
Jean Fleaur Matthew Weiss 3100 650-507-9877
Winston Taylor Matthew Weiss 3200 650-507-9876
Steven Markle Matthew Weiss 2200 650-124-1434

48.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Virtual Private Database
Restrict access at source
Employee Name Manager Name Salary SSN
Kevin Mourgos Steven King
Shanta Vollman Steven King
Payam Kaufling Steven King
Adam Fripp Steven King
Matthew Weiss Steven King 8000 650-123-1234
Girard Geoni Matthew Weiss 2800
Martha Sullivan Matthew Weiss 2500
Jean Fleaur Matthew Weiss 3100
Winston Taylor Matthew Weiss 3200
Steven Markle Matthew Weiss 2200

49.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
How at risk am I?
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

50.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
DBSAT
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

51.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
DBSAT
My Oracle Support 2138254.1
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

52.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Pixabay
PL/SQL
Least Privilege
Data R*******n
Bind Variables
Sanitize inputs
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon
Security Layers

53.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
It's2018!
no excuses...
... your data!
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon

54.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Gratisography
sqlmap.org
#MakeDataGreatAgain
blogs.oracle.com/sql www.youtube.com/c/TheMagicOfSQL @ChrisRSaxon