SlideShare a Scribd company logo

Design and develop secured oracle applications

Download as PPT, PDF
dyahalom
dyahalom

ILOUG Tech Days 2015

Technology
1 of 20
Design & Develop Secured Oracle Applications Oded Raz, Oracle ACE Director Brillix LTD
2 Agenda • Security Risks • SQL Injection – Overview • SQL Injection - Demo • DBMS_ASSERT • Error Handling • Secured By Design
3 Vulnerabilities By Industry – 2010
4 Top Web Site Vulnerabilities - 2010
What is SQL Injection • SQL injection happens when an application fails to filter SQL syntax from user- controllable input. • The user input is used in the construction of dynamic SQL statements • The user input then affects the execution of the dynamically generated SQL statement
SQL Injection – Demo ‘ or ‘k’=‘k
11 Impact of SQL Injection  Bypassing authentication mechanisms select id from users where name=‘admin’ and password=‘’ or ‘1’=‘1’  Information disclosure select phone from users where name=‘’ UNION select credit_num from users --’  Information tampering select id from clients where name=‘’; update clients set debt=0; --
12 Impact of SQL Injection  Database corrupting select usr_id from clients where name=‘’; drop table clients;--  Command execution select picture from animals where name=‘‘;EXEC master.dbo.xp_cmdshell 'format /y c:’
SQL Injection - Sources  Web Pages : ● JSP ● ASP ● PHP  PL / SQL  Java  .Net
What to Look for :  Dynamic SQL ● EXECUTE IMMEDIATE (PL/SQL) ● DBMS_SQL package (PL/SQL) ● PreparedStatement (Java)  Input not being sanitized  Unhandled Errors
EXECUTE IMMEDIATE CREATE OR REPLACE PROCEDURE odtug (name IN VARCHAR2) IS sql VARCHAR2; code VARCHAR2; BEGIN ... sql := 'SELECT salary FROM emp WHERE name = ''' || name || ''''; EXECUTE IMMEDIATE sql INTO code; ... END; sql := 'SELECT salary FROM emp WHERE name = :name'; EXECUTE IMMEDIATE sql USING name INTO code; Use Bind Variables
DBMS_SQL CREATE OR REPLACE PROCEDURE kscope(name IN VARCHAR2) IS dyn_cursor INTEGER; rows_processed INTEGER; sql VARCHAR2(150); code VARCHAR2(2); BEGIN sql := 'SELECT salary FROM emp WHERE name = ''' || name || ''''; dyn_cursor := dbms_sql.open_cursor; DBMS_SQL.PARSE(dyn_cursor , sql, DBMS_SQL.NATIVE); DBMS_SQL.DEFINE_COLUMN(dyn_cursor , 1, code, 10); rows_processed := DBMS_SQL.EXECUTE(dyn_cursor); DBMS_SQL.CLOSE_CURSOR(dyn_cursor); END; sql := 'SELECT postal-code FROM states WHERE state-name = :name'; dyn_cursor := dbms_sql.open_cursor; DBMS_SQL.PARSE(dyn_cursor, sql, DBMS_SQL.NATIVE); DBMS_SQL.DEFINE_COLUMNdyn_cursor, 1, code, 10); DBMS_SQL.BIND_VARIABLE(dyn_cursor, ':name', name); rows_processed := DBMS_SQL.EXECUTE(dyn_cursor); DBMS_SQL.CLOSE_CURSOR(dyn_cursor); Use Bind Variables
Dynamic Cursors CREATE OR REPLACE PROCEDURE kscop(address IN VARCHAR2) IS sql VARCHAR2; BEGIN sql := 'SELECT * FROM emp WHERE address = ''' || address || ''''; OPEN crs_emp FOR sql; LOOP FETCH crs_emp INTO rec_state EXIT WHEN crs_emp %NOTFOUND; END LOOP; CLOSE crs_emp; END; Avoid using Dynamic Cursors use EXECUTE IMMEDIATE / DBMS_SQL with bind variables Instead
JDBC - PreparedStatement String name = request.getParameter("name"); PreparedStatement pstmt = conn.prepareStatement("insert into EMP (ENAME) values ('" + name + "')"); pstmt.execute(); pstmt.close(); PreparedStatement pstmt = conn.prepareStatement ("insert into EMP (ENAME) values (?)"); String name = request.getParameter("name"); pstmt.setString (1, name); pstmt.execute(); pstmt.close();
19 DBMS_ASSERT • ENQUOTE_LITERAL - Encloses the string literal within single quotation marks. sql_stmt constant varchar2(32000) := ' SELECT count(*) FROM emp where dept_name='''|| dept_parm ||''''; literal varchar2(1024):= '''|| dept_parm ||'''; sql_stmt constant varchar2(32000) := ' SELECT count(*) FROM emp where dept_name= ‘ || SYS.DBMS_ASSERT.ENQUOTE_LITERAL(literal);
20 DBMS_ASSERT • SIMPLE_SQL_NAME - Verifies that the string is a simple SQL name. sql_stmt constant varchar2(32000) := ‘SELECT ‘||p_col ||’ FROM ‘|| p_tab; sql_stmt constant varchar2(32000) := ‘SELECT ‘ || SYS.DBMS_ASSERT.SIMAPLE_SQL_NAME(p_col) ||’ FROM ‘|| SYS.DBMS_ASSERT.SIMAPLE_SQL_NAME(p_tab);
21 Error Handling Do not enclose valuable information, it can be used to orchestrate as attack. EXCEPTION WHEN OTHERS THEN dbms_output.put_line('No Data Found');
22 Defense = Security By Design • Use Bind Arguments • Error Handling – Do not enclose valuable information • Input Validation • Use DBMS_ASSERT • Always validate HTML Fields / Parameters • Carefully inspect dynamic SQL and filter parameters • Use fully qualified name when calling packages.
Q & A  Exploits of a mom – XKCD – Randall Munroe
Design & Develop Secured Oracle Applications Please Fill Out Your Evaluations Oded Raz, Oracle ACE Director Brillix LTD

Recommended

Jdbc
JdbcJdbc
JdbcIndu Lata
 
Sql basics 2
Sql basics 2Sql basics 2
Sql basics 2Raghu nath
 
Scrollable Test App
Scrollable Test AppScrollable Test App
Scrollable Test AppPeeyush Ranjan
 
Mule esb – connecting to ms sql db
Mule esb – connecting to ms sql dbMule esb – connecting to ms sql db
Mule esb – connecting to ms sql dbGunjan Deshmukh
 
Jdbc2016
Jdbc2016Jdbc2016
Jdbc2016BVC Engineering College
 
Lecture17
Lecture17Lecture17
Lecture17vantinhkhuc
 
Subqueries views stored procedures_triggers_transactions
Subqueries views stored procedures_triggers_transactionsSubqueries views stored procedures_triggers_transactions
Subqueries views stored procedures_triggers_transactionsmaxpane
 
Sql full tutorial
Sql full tutorialSql full tutorial
Sql full tutorialMozaaic Cyber Security
 

Recommended

Jdbc
JdbcJdbc
JdbcIndu Lata
 
Sql basics 2
Sql basics 2Sql basics 2
Sql basics 2Raghu nath
 
Scrollable Test App
Scrollable Test AppScrollable Test App
Scrollable Test AppPeeyush Ranjan
 
Mule esb – connecting to ms sql db
Mule esb – connecting to ms sql dbMule esb – connecting to ms sql db
Mule esb – connecting to ms sql dbGunjan Deshmukh
 
Jdbc2016
Jdbc2016Jdbc2016
Jdbc2016BVC Engineering College
 
Lecture17
Lecture17Lecture17
Lecture17vantinhkhuc
 
Subqueries views stored procedures_triggers_transactions
Subqueries views stored procedures_triggers_transactionsSubqueries views stored procedures_triggers_transactions
Subqueries views stored procedures_triggers_transactionsmaxpane
 
Sql full tutorial
Sql full tutorialSql full tutorial
Sql full tutorialMozaaic Cyber Security
 
VAST CMYK
VAST CMYKVAST CMYK
VAST CMYKWes Vanderlinden
 
Revista Mundo Contact Mayo 2016
Revista Mundo Contact Mayo 2016Revista Mundo Contact Mayo 2016
Revista Mundo Contact Mayo 2016Mundo Contact
 
Ventas 1 i
Ventas 1 iVentas 1 i
Ventas 1 iLiz Arenas
 
Promedio 1 i
Promedio 1 iPromedio 1 i
Promedio 1 iLiz Arenas
 
Sustainability of CO2 technology and the role of control systems
Sustainability of CO2 technology and the role of control systemsSustainability of CO2 technology and the role of control systems
Sustainability of CO2 technology and the role of control systemsCAREL Industries S.p.A
 
Reseña inbernon
Reseña inbernonReseña inbernon
Reseña inbernonAlmaMancinas
 
Introducción a las Comunicaciones Unificadas
Introducción a las Comunicaciones UnificadasIntroducción a las Comunicaciones Unificadas
Introducción a las Comunicaciones Unificadastecnologiadospuntocero
 
EY-introducing-EYs-advisory-services
EY-introducing-EYs-advisory-servicesEY-introducing-EYs-advisory-services
EY-introducing-EYs-advisory-servicesEric Vastag
 
Generalidades
GeneralidadesGeneralidades
Generalidadesprada_16
 
Humanismo y Renacimiento
Humanismo y RenacimientoHumanismo y Renacimiento
Humanismo y RenacimientoDiego Andrés Rojas González
 
Historia del imperialismo y colonialismo en el siglo xix
Historia del imperialismo y colonialismo en el siglo xixHistoria del imperialismo y colonialismo en el siglo xix
Historia del imperialismo y colonialismo en el siglo xixDiego Andrés Rojas González
 
Paz armada
Paz armadaPaz armada
Paz armadaEl Arcón de Clio
 
03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachJeff Prom
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormguest785f78
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2Tjylen Veselyj
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASPMizno Kruge
 
Jdbc ppt
Jdbc pptJdbc ppt
Jdbc pptsandeep54552
 
Owasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiOwasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiowaspindy
 
Jdbc
JdbcJdbc
JdbcJussi Pohjolainen
 
Java JDBC
Java JDBCJava JDBC
Java JDBCJussi Pohjolainen
 
SQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLPradeep Kumar
 

More Related Content

Viewers also liked

Revista Mundo Contact Mayo 2016
Revista Mundo Contact Mayo 2016Revista Mundo Contact Mayo 2016
Revista Mundo Contact Mayo 2016Mundo Contact
 
Sustainability of CO2 technology and the role of control systems
Sustainability of CO2 technology and the role of control systemsSustainability of CO2 technology and the role of control systems
Sustainability of CO2 technology and the role of control systemsCAREL Industries S.p.A
 
Introducción a las Comunicaciones Unificadas
Introducción a las Comunicaciones UnificadasIntroducción a las Comunicaciones Unificadas
Introducción a las Comunicaciones Unificadastecnologiadospuntocero
 
EY-introducing-EYs-advisory-services
EY-introducing-EYs-advisory-servicesEY-introducing-EYs-advisory-services
EY-introducing-EYs-advisory-servicesEric Vastag
 
Generalidades
GeneralidadesGeneralidades
Generalidadesprada_16
 
Historia del imperialismo y colonialismo en el siglo xix
Historia del imperialismo y colonialismo en el siglo xixHistoria del imperialismo y colonialismo en el siglo xix
Historia del imperialismo y colonialismo en el siglo xixDiego Andrés Rojas González
 

Viewers also liked (12)

VAST CMYK
VAST CMYKVAST CMYK
VAST CMYK
 
Revista Mundo Contact Mayo 2016
Revista Mundo Contact Mayo 2016Revista Mundo Contact Mayo 2016
Revista Mundo Contact Mayo 2016
 
Ventas 1 i
Ventas 1 iVentas 1 i
Ventas 1 i
 
Promedio 1 i
Promedio 1 iPromedio 1 i
Promedio 1 i
 
Sustainability of CO2 technology and the role of control systems
Sustainability of CO2 technology and the role of control systemsSustainability of CO2 technology and the role of control systems
Sustainability of CO2 technology and the role of control systems
 
Reseña inbernon
Reseña inbernonReseña inbernon
Reseña inbernon
 
Introducción a las Comunicaciones Unificadas
Introducción a las Comunicaciones UnificadasIntroducción a las Comunicaciones Unificadas
Introducción a las Comunicaciones Unificadas
 
EY-introducing-EYs-advisory-services
EY-introducing-EYs-advisory-servicesEY-introducing-EYs-advisory-services
EY-introducing-EYs-advisory-services
 
Generalidades
GeneralidadesGeneralidades
Generalidades
 
Humanismo y Renacimiento
Humanismo y RenacimientoHumanismo y Renacimiento
Humanismo y Renacimiento
 
Historia del imperialismo y colonialismo en el siglo xix
Historia del imperialismo y colonialismo en el siglo xixHistoria del imperialismo y colonialismo en el siglo xix
Historia del imperialismo y colonialismo en el siglo xix
 
Paz armada
Paz armadaPaz armada
Paz armada
 

Similar to Design and develop secured oracle applications

03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17Eoin Keary
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachJeff Prom
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormguest785f78
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASPMizno Kruge
 
Owasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiOwasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiowaspindy
 
SQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLPradeep Kumar
 
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...Jürgen Ambrosi
 
1 Database Security Lab 2 – Virtual Private Database.docx
1 Database Security Lab 2 – Virtual Private Database.docx1 Database Security Lab 2 – Virtual Private Database.docx
1 Database Security Lab 2 – Virtual Private Database.docxjeremylockett77
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Grand Parade Poland
 
Inexpensive Datamasking for MySQL with ProxySQL — Data Anonymization for Deve...
Inexpensive Datamasking for MySQL with ProxySQL — Data Anonymization for Deve...Inexpensive Datamasking for MySQL with ProxySQL — Data Anonymization for Deve...
Inexpensive Datamasking for MySQL with ProxySQL — Data Anonymization for Deve...Ontico
 
Vertically Scaled Design Patters
Vertically Scaled Design PattersVertically Scaled Design Patters
Vertically Scaled Design PattersJeff Malnick
 
SQL for Web APIs - Simplifying Data Access for API Consumers
SQL for Web APIs - Simplifying Data Access for API ConsumersSQL for Web APIs - Simplifying Data Access for API Consumers
SQL for Web APIs - Simplifying Data Access for API ConsumersJerod Johnson
 

Similar to Design and develop secured oracle applications (20)

03. sql and other injection module v17
03. sql and other injection module v1703. sql and other injection module v17
03. sql and other injection module v17
 
SQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington BeachSQL Injections - 2016 - Huntington Beach
SQL Injections - 2016 - Huntington Beach
 
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_wormDefcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
Defcon_Oracle_The_Making_of_the_2nd_sql_injection_worm
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
 
Php Security - OWASP
Php Security - OWASPPhp Security - OWASP
Php Security - OWASP
 
Jdbc ppt
Jdbc pptJdbc ppt
Jdbc ppt
 
Owasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLiOwasp Indy Q2 2012 Advanced SQLi
Owasp Indy Q2 2012 Advanced SQLi
 
Jdbc
JdbcJdbc
Jdbc
 
Java JDBC
Java JDBCJava JDBC
Java JDBC
 
SQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQLSQL Injection in action with PHP and MySQL
SQL Injection in action with PHP and MySQL
 
Sql injection
Sql injectionSql injection
Sql injection
 
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
 
Sq linjection
Sq linjectionSq linjection
Sq linjection
 
1 Database Security Lab 2 – Virtual Private Database.docx
1 Database Security Lab 2 – Virtual Private Database.docx1 Database Security Lab 2 – Virtual Private Database.docx
1 Database Security Lab 2 – Virtual Private Database.docx
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
 
Inexpensive Datamasking for MySQL with ProxySQL — Data Anonymization for Deve...
Inexpensive Datamasking for MySQL with ProxySQL — Data Anonymization for Deve...Inexpensive Datamasking for MySQL with ProxySQL — Data Anonymization for Deve...
Inexpensive Datamasking for MySQL with ProxySQL — Data Anonymization for Deve...
 
Sql injection
Sql injectionSql injection
Sql injection
 
Vertically Scaled Design Patters
Vertically Scaled Design PattersVertically Scaled Design Patters
Vertically Scaled Design Patters
 
Database security
Database securityDatabase security
Database security
 
SQL for Web APIs - Simplifying Data Access for API Consumers
SQL for Web APIs - Simplifying Data Access for API ConsumersSQL for Web APIs - Simplifying Data Access for API Consumers
SQL for Web APIs - Simplifying Data Access for API Consumers
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

Design and develop secured oracle applications

  • 1. Design & Develop Secured Oracle Applications Oded Raz, Oracle ACE Director Brillix LTD
  • 2. 2 Agenda • Security Risks • SQL Injection – Overview • SQL Injection - Demo • DBMS_ASSERT • Error Handling • Secured By Design
  • 4. 4 Top Web Site Vulnerabilities - 2010
  • 5. What is SQL Injection • SQL injection happens when an application fails to filter SQL syntax from user- controllable input. • The user input is used in the construction of dynamic SQL statements • The user input then affects the execution of the dynamically generated SQL statement
  • 6. SQL Injection – Demo ‘ or ‘k’=‘k
  • 7. 11 Impact of SQL Injection  Bypassing authentication mechanisms select id from users where name=‘admin’ and password=‘’ or ‘1’=‘1’  Information disclosure select phone from users where name=‘’ UNION select credit_num from users --’  Information tampering select id from clients where name=‘’; update clients set debt=0; --
  • 8. 12 Impact of SQL Injection  Database corrupting select usr_id from clients where name=‘’; drop table clients;--  Command execution select picture from animals where name=‘‘;EXEC master.dbo.xp_cmdshell 'format /y c:’
  • 9. SQL Injection - Sources  Web Pages : ● JSP ● ASP ● PHP  PL / SQL  Java  .Net
  • 10. What to Look for :  Dynamic SQL ● EXECUTE IMMEDIATE (PL/SQL) ● DBMS_SQL package (PL/SQL) ● PreparedStatement (Java)  Input not being sanitized  Unhandled Errors
  • 11. EXECUTE IMMEDIATE CREATE OR REPLACE PROCEDURE odtug (name IN VARCHAR2) IS sql VARCHAR2; code VARCHAR2; BEGIN ... sql := 'SELECT salary FROM emp WHERE name = ''' || name || ''''; EXECUTE IMMEDIATE sql INTO code; ... END; sql := 'SELECT salary FROM emp WHERE name = :name'; EXECUTE IMMEDIATE sql USING name INTO code; Use Bind Variables
  • 12. DBMS_SQL CREATE OR REPLACE PROCEDURE kscope(name IN VARCHAR2) IS dyn_cursor INTEGER; rows_processed INTEGER; sql VARCHAR2(150); code VARCHAR2(2); BEGIN sql := 'SELECT salary FROM emp WHERE name = ''' || name || ''''; dyn_cursor := dbms_sql.open_cursor; DBMS_SQL.PARSE(dyn_cursor , sql, DBMS_SQL.NATIVE); DBMS_SQL.DEFINE_COLUMN(dyn_cursor , 1, code, 10); rows_processed := DBMS_SQL.EXECUTE(dyn_cursor); DBMS_SQL.CLOSE_CURSOR(dyn_cursor); END; sql := 'SELECT postal-code FROM states WHERE state-name = :name'; dyn_cursor := dbms_sql.open_cursor; DBMS_SQL.PARSE(dyn_cursor, sql, DBMS_SQL.NATIVE); DBMS_SQL.DEFINE_COLUMNdyn_cursor, 1, code, 10); DBMS_SQL.BIND_VARIABLE(dyn_cursor, ':name', name); rows_processed := DBMS_SQL.EXECUTE(dyn_cursor); DBMS_SQL.CLOSE_CURSOR(dyn_cursor); Use Bind Variables
  • 13. Dynamic Cursors CREATE OR REPLACE PROCEDURE kscop(address IN VARCHAR2) IS sql VARCHAR2; BEGIN sql := 'SELECT * FROM emp WHERE address = ''' || address || ''''; OPEN crs_emp FOR sql; LOOP FETCH crs_emp INTO rec_state EXIT WHEN crs_emp %NOTFOUND; END LOOP; CLOSE crs_emp; END; Avoid using Dynamic Cursors use EXECUTE IMMEDIATE / DBMS_SQL with bind variables Instead
  • 14. JDBC - PreparedStatement String name = request.getParameter("name"); PreparedStatement pstmt = conn.prepareStatement("insert into EMP (ENAME) values ('" + name + "')"); pstmt.execute(); pstmt.close(); PreparedStatement pstmt = conn.prepareStatement ("insert into EMP (ENAME) values (?)"); String name = request.getParameter("name"); pstmt.setString (1, name); pstmt.execute(); pstmt.close();
  • 15. 19 DBMS_ASSERT • ENQUOTE_LITERAL - Encloses the string literal within single quotation marks. sql_stmt constant varchar2(32000) := ' SELECT count(*) FROM emp where dept_name='''|| dept_parm ||''''; literal varchar2(1024):= '''|| dept_parm ||'''; sql_stmt constant varchar2(32000) := ' SELECT count(*) FROM emp where dept_name= ‘ || SYS.DBMS_ASSERT.ENQUOTE_LITERAL(literal);
  • 16. 20 DBMS_ASSERT • SIMPLE_SQL_NAME - Verifies that the string is a simple SQL name. sql_stmt constant varchar2(32000) := ‘SELECT ‘||p_col ||’ FROM ‘|| p_tab; sql_stmt constant varchar2(32000) := ‘SELECT ‘ || SYS.DBMS_ASSERT.SIMAPLE_SQL_NAME(p_col) ||’ FROM ‘|| SYS.DBMS_ASSERT.SIMAPLE_SQL_NAME(p_tab);
  • 17. 21 Error Handling Do not enclose valuable information, it can be used to orchestrate as attack. EXCEPTION WHEN OTHERS THEN dbms_output.put_line('No Data Found');
  • 18. 22 Defense = Security By Design • Use Bind Arguments • Error Handling – Do not enclose valuable information • Input Validation • Use DBMS_ASSERT • Always validate HTML Fields / Parameters • Carefully inspect dynamic SQL and filter parameters • Use fully qualified name when calling packages.
  • 19. Q & A  Exploits of a mom – XKCD – Randall Munroe
  • 20. Design & Develop Secured Oracle Applications Please Fill Out Your Evaluations Oded Raz, Oracle ACE Director Brillix LTD

Editor's Notes

  1. This is your opening slide.
  2. Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
  3. Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
  4. Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
  5. Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
  6. Use this template for all your content slides. There are also other layout slides you can feel free to use.
  7. Use this template for all your content slides. There are also other layout slides you can feel free to use.
  8. Bypassing Authentication – A record is searched for with the supplied user name and password. If it is found (i.e. the query returns something other than an empty set), the authentication is considered successful. By injecting, the query is altered to always return something, since the ‘1’=‘1’ clause is added which always evaluates to TRUE. Therefore login will always succeed.
  9. Bypassing Authentication – A record is searched for with the supplied user name and password. If it is found (i.e. the query returns something other than an empty set), the authentication is considered successful. By injecting, the query is altered to always return something, since the ‘1’=‘1’ clause is added which always evaluates to TRUE. Therefore login will always succeed.
  10. Use this template for all your content slides. There are also other layout slides you can feel free to use.
  11. Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
  12. Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
  13. Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
  14. Demonstrate it against an example page in swiftcoders.com If not applicable consider the following Example: Go to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php Enter naïve input Go back to http://www.phy.duke.edu/~icon/work/clac/examples/inigo.php This time enter: <script lanugauge="javascript">alert("hello")</script>
  15. This is the final slide of the presentation.