This document discusses attacking Oracle web applications using Metasploit and the wXf framework. It begins with an introduction of the speaker and describes why Oracle middleware is prevalent yet often unpatched. It then demonstrates how to locate Oracle servers, find default content, and abuse vulnerabilities in default pages. Examples are given for attacking Oracle Internet Application Server, Portal, and E-Business Suite. The document shows Metasploit modules for brute forcing Oracle iSQLPlus SIDs and logins. It emphasizes removing default content, patching systems, and using web application firewalls for defense.
The Oracle Cloud allows to build and configure various infrastructure resources. But you won't get far by just using "click acrobatics" via Web Console, especially if you want to build several similar and complex environments. A mouse click cannot be saved just like that. Oracle offers several API's to create and manage objects in OCI, e.g. Oracle OCI commandline utility, OCI SDK, Terraform Provider etc. This presentation will explain how to implement Infrastructure as Code in OCI using Terraform and the Oracle Terraform Provider. Using a training environment as an example, it will be shown how to build components with Terraform Server, databases and network components and how to scale them in terms of resources or number.
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
Authentication is an integral part of database security. If authentication or passwords are insufficient or inadequate, all further security measures are generally useless. But how do you ensure that passwords are complex and authentication is secure? In this presentation, the password hashes will be explained and it will be shown how to make sure passwords and authentication are state of the art. Focusing on the current versions of the Oracle database, the following topics will be discussed:
– Oracle database authentication
– Password verification and hashes
– Where can I find password hashes?
– Check and password hashes.
– Discussion of various risks related to authentication.
– Discussion of password policies and strong passwords.
– Customer Use Case in the DB Vault environment "ups we have forgotten the passwords"
SIMD extensions have been used since early 70’s in vector programming. They are mainly CPU specific and not Oracle specific. Nevertheless, they are used by Oracle and especially by In-Memory option to perform operations against Oracle In-Memory Compression Units. Oracle exploits SIMD extensions to perform data parallelism but without concurrency.
In this presentation, the data structure (vectors), CPU Registers, SIMD instructions and how they are used outside Oracle will be presented. As a consequence, we will see how the combination of both (data structure and instructions) can significantly reduce the number of operations. During this part, code samples written in C will be presented and executed to demonstrate it.
Then, a focus will be made on SIMD instructions inside Oracle and how it uses them: usage of specific libraries and Oracle kernel components that should use SIMD instructions.
The GNU Linux debugger helps us in this way to detect internal procedures usage that are based on SIMD instructions. It helps us to establish the link between SIMD instructions and Oracle operations like filters and aggregates. Then, it will be showed how SIMD instructions are involved in performance improvement.
Finally, a conclusion will be made on “why Oracle In-Memory performances would be improved in future versions”.
This presentation will help user to understand, by a bottom up analysis, how non-specific programming techniques are used by Oracle to improve performance with In-Memory Option and how the column format can benefit from this improvement.
Oracle 12c comes with a new Security offer, and a set of new features related to. By default, Oracle is not very well secured but it comes with a lot of tools and options to improve the security inside the database. The presentation will show to attendees that building a strong security policy based on 4 security topics can improve the data security. These ones are Authentication, Authorization, Encryption and Audit. Each of these four topics will be detailed by presenting Oracle 12c new security features, for example: privilege analysis, transparent network encryption and checksumming, unified auditing etc. Finally, a presentation on Database Vault will be made to show how a "divide and conquer" policy can improve the global security of Oracle databases.
Seminar Sehari
PHP Indonesia
Saturday, 5th May 2012
Pelajari lebih lanjut tentang PHP+Oracle di http://pojokprogrammer.net
Related Content:
http://pojokprogrammer.net/search/node/oracle
The Oracle Cloud allows to build and configure various infrastructure resources. But you won't get far by just using "click acrobatics" via Web Console, especially if you want to build several similar and complex environments. A mouse click cannot be saved just like that. Oracle offers several API's to create and manage objects in OCI, e.g. Oracle OCI commandline utility, OCI SDK, Terraform Provider etc. This presentation will explain how to implement Infrastructure as Code in OCI using Terraform and the Oracle Terraform Provider. Using a training environment as an example, it will be shown how to build components with Terraform Server, databases and network components and how to scale them in terms of resources or number.
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
Authentication is an integral part of database security. If authentication or passwords are insufficient or inadequate, all further security measures are generally useless. But how do you ensure that passwords are complex and authentication is secure? In this presentation, the password hashes will be explained and it will be shown how to make sure passwords and authentication are state of the art. Focusing on the current versions of the Oracle database, the following topics will be discussed:
– Oracle database authentication
– Password verification and hashes
– Where can I find password hashes?
– Check and password hashes.
– Discussion of various risks related to authentication.
– Discussion of password policies and strong passwords.
– Customer Use Case in the DB Vault environment "ups we have forgotten the passwords"
SIMD extensions have been used since early 70’s in vector programming. They are mainly CPU specific and not Oracle specific. Nevertheless, they are used by Oracle and especially by In-Memory option to perform operations against Oracle In-Memory Compression Units. Oracle exploits SIMD extensions to perform data parallelism but without concurrency.
In this presentation, the data structure (vectors), CPU Registers, SIMD instructions and how they are used outside Oracle will be presented. As a consequence, we will see how the combination of both (data structure and instructions) can significantly reduce the number of operations. During this part, code samples written in C will be presented and executed to demonstrate it.
Then, a focus will be made on SIMD instructions inside Oracle and how it uses them: usage of specific libraries and Oracle kernel components that should use SIMD instructions.
The GNU Linux debugger helps us in this way to detect internal procedures usage that are based on SIMD instructions. It helps us to establish the link between SIMD instructions and Oracle operations like filters and aggregates. Then, it will be showed how SIMD instructions are involved in performance improvement.
Finally, a conclusion will be made on “why Oracle In-Memory performances would be improved in future versions”.
This presentation will help user to understand, by a bottom up analysis, how non-specific programming techniques are used by Oracle to improve performance with In-Memory Option and how the column format can benefit from this improvement.
Oracle 12c comes with a new Security offer, and a set of new features related to. By default, Oracle is not very well secured but it comes with a lot of tools and options to improve the security inside the database. The presentation will show to attendees that building a strong security policy based on 4 security topics can improve the data security. These ones are Authentication, Authorization, Encryption and Audit. Each of these four topics will be detailed by presenting Oracle 12c new security features, for example: privilege analysis, transparent network encryption and checksumming, unified auditing etc. Finally, a presentation on Database Vault will be made to show how a "divide and conquer" policy can improve the global security of Oracle databases.
Seminar Sehari
PHP Indonesia
Saturday, 5th May 2012
Pelajari lebih lanjut tentang PHP+Oracle di http://pojokprogrammer.net
Related Content:
http://pojokprogrammer.net/search/node/oracle
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
Slides of the talk presented in the Hackers to Hackers Conference 2017 (H2HC 2017)
This talk discussed (a little bit deep) the root cause of these vulnerabilities in the context of the JVM
If you use scripting languages to power web, mobile, and/or enterprise applications, this session will show you how to use Oracle Database efficiently. It demonstrates how PHP can take full advantage of new performance, scalability, availability, and security features in Oracle Database 12c and Oracle Linux. Many of these features are available to other C-based scripting languages too, like Ruby, Python and Perl. DBA's will also benefit by seeing how applications can be monitored.
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...Andrejs Prokopjevs
This presentation covers a real life experience of implementing latest OUD 11gR2 integrated with Oracle E-Business Suite R12.2.5.
We will talk about:
- Introduction to OUD. What is different if we compare it with Oracle Internet Directory topology.
- Implementation process. Issues faced and what does not work out-of-the-box.
- Performance tuning considerations.
Oracle REST data service is a powerful utility to publish an Oracle database into a REST based webservice. This presentation will focus on basic installation of ORDS in a Tomcat server, PLSQL apis for publishing a REST service and securing the REST endpoints
Talk given by Pierre Ernst, Product Security Lead at Salesforce, at Hack Fest 2016 on November 2016
Pierre Ernst has 20 years of professional experience in building and breaking applications. His current focus is helping organisations improve their security posture by playing both offense and defense. In his spare time, he still enjoys finding high-value vulnerabilities and tries to make open source components more secure using his weapon of choice: code review. His favorite research topics include: weaponizing XML External Entity (XXE) attacks and XPath injections, finding novel ways of triggering hash table collisions and exploiting all sorts of deserialization technologies.
Fixing the Java Serialization mess
Deserializing untrusted input with Java has been known to be a risky proposition for at least 10 years. More recently, several vulnerabilities exploiting this flaw have been published. These deserialization vulnerabilities can be divided into 2 groups: endpoints allowing deserialization of arbitrary classes known to the application, or serialization “gadgets” allowing to weaponize malicious input for these endpoints. When it comes to fixing this class of vulnerabilities, it is hard to reach a consensus: some library maintainers consider that there is no point fixing the “gadgets” and that all application should simply stop accepting serialized input. Easier said than done…
While the root cause of the issue lies with a lenient Java API (not allowing to specify which class is to be deserialized), we need an immediate fix. This is why Pierre Ernst came up with the seminal “Look-ahead Java deserialization” concept in 2013.
During this talk, the current look-ahead implementation will be bypassed with a live demo, and a more robust mitigation will be presented.
SOUG Oracle Unified Audit for Multitenant DatabasesStefan Oehrli
Oracle Audit is a proven database functionality. Or maybe not? How does auditing look like in combination with Oracle Multitenant DBs? Does DB and Unified Audit work analogous to existing configurations? In the context of this lecture audit in Container DBs (19c/20c) will be discussed more closely. We will shown where to pay attention and how to adapt an audit concept to the new architecture. Specific problems and workarounds will be shown. The presentation will be complemented by demos.
Resting on your laurels will get you pownedDinis Cruz
Presentation delivered at BlackHat 2013. See these posts for more details on the Demos: http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html ., http://blog.diniscruz.com/2013/08/neo4j-csrf-payload-to-start-processes.html
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees:
The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the application’s classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application.
The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the session’s start.
Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before it’s handled by the Java deserialization process.
--
This talk was presented by Christian Schneider & Alvaro Muñoz at the OWASP BeNeLux Day 2016.
Alvaro Retana Presentation in OAS SSIG 2016 - Washington DC
Organization of American States (OAS) / Inter- American Committee against Terrorism (CICTE) / IETF-LAC / LACNOG
An Overview of Deserialization Vulnerabilities in the Java Virtual Machine (J...joaomatosf_
Slides of the talk presented in the Hackers to Hackers Conference 2017 (H2HC 2017)
This talk discussed (a little bit deep) the root cause of these vulnerabilities in the context of the JVM
If you use scripting languages to power web, mobile, and/or enterprise applications, this session will show you how to use Oracle Database efficiently. It demonstrates how PHP can take full advantage of new performance, scalability, availability, and security features in Oracle Database 12c and Oracle Linux. Many of these features are available to other C-based scripting languages too, like Ruby, Python and Perl. DBA's will also benefit by seeing how applications can be monitored.
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...Andrejs Prokopjevs
This presentation covers a real life experience of implementing latest OUD 11gR2 integrated with Oracle E-Business Suite R12.2.5.
We will talk about:
- Introduction to OUD. What is different if we compare it with Oracle Internet Directory topology.
- Implementation process. Issues faced and what does not work out-of-the-box.
- Performance tuning considerations.
Oracle REST data service is a powerful utility to publish an Oracle database into a REST based webservice. This presentation will focus on basic installation of ORDS in a Tomcat server, PLSQL apis for publishing a REST service and securing the REST endpoints
Talk given by Pierre Ernst, Product Security Lead at Salesforce, at Hack Fest 2016 on November 2016
Pierre Ernst has 20 years of professional experience in building and breaking applications. His current focus is helping organisations improve their security posture by playing both offense and defense. In his spare time, he still enjoys finding high-value vulnerabilities and tries to make open source components more secure using his weapon of choice: code review. His favorite research topics include: weaponizing XML External Entity (XXE) attacks and XPath injections, finding novel ways of triggering hash table collisions and exploiting all sorts of deserialization technologies.
Fixing the Java Serialization mess
Deserializing untrusted input with Java has been known to be a risky proposition for at least 10 years. More recently, several vulnerabilities exploiting this flaw have been published. These deserialization vulnerabilities can be divided into 2 groups: endpoints allowing deserialization of arbitrary classes known to the application, or serialization “gadgets” allowing to weaponize malicious input for these endpoints. When it comes to fixing this class of vulnerabilities, it is hard to reach a consensus: some library maintainers consider that there is no point fixing the “gadgets” and that all application should simply stop accepting serialized input. Easier said than done…
While the root cause of the issue lies with a lenient Java API (not allowing to specify which class is to be deserialized), we need an immediate fix. This is why Pierre Ernst came up with the seminal “Look-ahead Java deserialization” concept in 2013.
During this talk, the current look-ahead implementation will be bypassed with a live demo, and a more robust mitigation will be presented.
SOUG Oracle Unified Audit for Multitenant DatabasesStefan Oehrli
Oracle Audit is a proven database functionality. Or maybe not? How does auditing look like in combination with Oracle Multitenant DBs? Does DB and Unified Audit work analogous to existing configurations? In the context of this lecture audit in Container DBs (19c/20c) will be discussed more closely. We will shown where to pay attention and how to adapt an audit concept to the new architecture. Specific problems and workarounds will be shown. The presentation will be complemented by demos.
Resting on your laurels will get you pownedDinis Cruz
Presentation delivered at BlackHat 2013. See these posts for more details on the Demos: http://blog.diniscruz.com/2013/08/using-xmldecoder-to-execute-server-side.html ., http://blog.diniscruz.com/2013/08/neo4j-csrf-payload-to-start-processes.html
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees:
The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the application’s classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application.
The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the session’s start.
Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before it’s handled by the Java deserialization process.
--
This talk was presented by Christian Schneider & Alvaro Muñoz at the OWASP BeNeLux Day 2016.
Alvaro Retana Presentation in OAS SSIG 2016 - Washington DC
Organization of American States (OAS) / Inter- American Committee against Terrorism (CICTE) / IETF-LAC / LACNOG
I made this slide show from photographs I took at Beaver's Bend State Park in March, 2013. I showed it as the Spring Field Meeting of the Oklahoma Academy of Sciences (OAS) as a recruitment tool.
24/7 Media, formerly 24/7 Real Media was a technology company headquartered in New York City specializing in Digital Marketing. It provides digital marketing solutions for publishers, advertisers and agencies globally.
How to Make Sure Your Website Is Usable (ASA/AIA 2014)Kate Finn
Presented on March 11, 2014 at Aging Society of America's "Aging in America" conference in San Diego. Poor usability affects almost everyone, but affects Older Adults (OAs) more severely, more frequently. We discuss age-related changes and characteristics (visual, auditory, motor, cognitive, affective/attitudinal), and show examples of how these changes impact the user's experience. We recommend guidelines to follow for maximizing the usability of the web or app experience, along with examples of what to do and what to avoid doing.
This webinar is presented by Catherine Manson of Flemingdon Community Legal Services. It gives community service providers an overview of benefits and provisions of the Canada Pension Plan (CPP) and the Old Age Security Pension (OAS).
Viva Lauro de Freitas : Lauro de Freitas - BAOAS Imóveis
Que tal aproveitar a sua vida ao máximo? Chegar mais cedo do trabalho e ter mais tempo para a família. Ver seus filhos brincarem e ter uma estrutura de lazer que vai fazer você voltar a ser criança. Viver o perfeito equilíbrio de estar perto de tudo, mas sem abrir mão da sua tranquilidade. Agora você pode.
A OAS Empreendimentos acaba de criar o Viva Lauro de Freitas, um convite ao seu novo estilo de vida. Basta aceitar.
Help me move away from Oracle - or not?! (Oracle Community Tour EMEA - LVOUG...Lucas Jellema
I hear this aspiration from a growing number of organizations. Sometimes as a quite literal question. This however is merely half of a wish. Apparently, organizations want to quit with one thing — but have not yet stipulated what they desire instead. What is the objective that is pursued here? Only to get rid of Oracle? It will become clear why you should give a considerable thought about dropping Oracle, or any other vendors’ technology, when you’re not pleased with your current IT situation. You need to focus on the actual problems and objectives and define the suitable roadmap to fit your real needs. It turns out that the quest is usually for modernization and flexibility - and Oracle can very well be a part of that future.
Organizations with decades of investment in Oracle technology sometimes (and increasingly) express a wish to move away from Oracle. In this session, we will first explore where the desire to move away from Oracle might come from. Then we describe what the term Oracle represents — more than 2.000 products on all layers in the technology stack and in different business areas. Finally, we map out what the ‘moving away from’ consists of: defining where you ‘move to’ and subsequently actually going there.
It will become clear why you should give considerable thought about dropping Oracle, or any other vendors’ technology, when you’re not pleased with your current IT situation. You need to focus on the actual problems and objectives and define the suitable roadmap to fit your real needs. It turns out that the quest is usually for modernization and flexibility - and Oracle can very well be a part of that future.
Original storyline in this Medium Article: https://medium.com/real-vox/what-if-companies-say-help-me-move-away-from-oracle-ffbbc95afc4f
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
MySQL Document Store - A Document Store with all the benefts of a Transactona...Olivier DASINI
MySQL Document Store allows developers to work with SQL relational tables and schema-less JSON collections. To make that possible MySQL has created the X Dev API which puts a strong focus on CRUD by providing a fluent API allowing you to work with JSON documents in a natural way. The X Protocol is a highly extensible and is optimized for CRUD as well as SQL API operations.
For decades developers and DBAs have battled over who controls the world. With each new development paradigm the battle flares again as developers push DBAs to adopt and support new data structures (JSON), new APIs (REST services), new technologies (In-Memory) and new platforms (Cloud). In this session, Gerald Venzl takes on the role of lead developer on a project to deploy a RESTful web-based application for a new coffeeshop chain, while Maria Colgan takes on the role of the DBA. Through the use of live demos, they learn to work together to find a solution that will allow them to embrace a more agile development approach, as well as the latest technology trends without exposing the business to painful availability or security vulnerabilities.
VMworld 2013: Virtualizing Databases: Doing IT Right VMworld
VMworld 2013
Michael Corey, Ntirety, Inc
Jeff Szastak, VMware
Learn more about VMworld and register at http://www.vmworld.com/index.jspa?src=socmed-vmworld-slideshare
Forgotten world - Corporate Business Application SystemsERPScan
Enterprise Resource Planning (ERP) is the collection of computers, servers and databases that store & manage:
- Human Resources information
- Inventory
- Shipping
- Procurement
- Financial, Banking & Accounting
- Payroll.
Basically, it's data the company really cares about.
ERP seemed to be a forgotten world in information security field. However, any vulnerability or compromise of these systems can cause a significant monetary loss or even stoppage of business. Although a relatively new area, during the last year there has been more awareness of security problems in ERP.
This presentation covers such parts of ERP Security as ERP Security issues, Architecture Flaws, Vulnerabilities and others.
Misconfiguration is define as configuration mistakes that results in unintended application behavior that includes misuse of default passwords, privileges, and excessive debugging information disclosure
I/O Microbenchmarking with Oracle in MindBob Sneed
This presentation I gave at the 2006 Hotsos Symposium discusses a passion of mine; micro-benchmarking things that are actually relevant to one's mission! All-too-often, I've seen people obsess over results from ad-hoc testing that seem to indicate that they have a problem - when in fact, their test bear no real resemblance to the demands of their actual workloads! The principles discussed here are also important outside the realm of Oracle.
Security landscape has been a constantly and rapidly changing scenario in the last decades. Threats have evolved from targeting services' availability to targeting data and data integrity. Therefore, now more than ever, data protection becomes critical and needs an in-depth approach which starts from the databes. Learn more about what MySQL has to offer to help you put in place security best practices to start protecting your data straight from the database!
Java application security the hard way - a workshop for the serious developerSteve Poole
Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here
The presentation provides the list of top 10 SAP vulnerabilities (2011-2012) as well as ways of defense.
1. Authentication Bypass via Verb tampering
2. Authentication Bypass via the Invoker servlet
3. Buffer overflow in ABAP Kernel
4. Code execution via TH_GREP
5. MMC read SESSIONID
6. Remote portscan
7. Encryption in SAPGUI
8. BAPI XSS/SMBRELAY
9. XML Blowup DOS
10. GUI Scripting DOS
Got data? Let's make it searchable! This interactive presentation will demonstrate getting documents into Solr quickly, will provide some tips in adjusting Solr's schema to match your needs better, and finally will discuss how showcase your data in a flexible search user interface. We'll see how to rapidly leverage faceting, highlighting, spell checking, and debugging. Even after all that, there will be enough time left to outline the next steps in developing your search application and taking it to production.
Similar to SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf (20)
Contrary to most presentations and blog posts there is more to AWS than S3. In a quest to create more re-usable code we have created WeirdAAL (AWS Attack Library). Offensively, WeirdAAL helps you answer the “what can I do with this AWS key”? We aim to answer that question, in a blackbox way, via recon modules and modules specifically dedicated to attack each of the interesting AWS service offerings while avoiding detection. It also provides multiple functions sorted by AWS service that you can use for both offensive and defensive checks.
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk, we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us. This is an update to our 2016 Brucon talk. We plan to discuss what have we accomplished regarding the above in the last year. We plan to show how we have progressed with the automation of attacker activities and event generation using MITRE’s Cyber Analytics Repository & CAR Exploration Tool (CARET) along with pumping these results to Unfetter (https://iadgov.github.io/unfetter/) for aggregation and display in a useful format.
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.
RSAC 2017
Ken Johnson & Chris Gates
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
Brucon 2016
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us.
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
Sector 2016 Chris Gates & Haydn Johnson
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:
-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
A little over a year ago I made the transition from external security consultant to internal offensive security engineer at Facebook. I went from a full time breaker to part time fixer. This talk is aimed at providing lessons learned and documenting the mindset changes I've made over the last year that I feel can be used by the industry as a whole. I've broken the lessons learned into three primary buckets; Red, Blue, and Purple and the talk will hopefully bring value to anyone working in their respective bucket or assist in their creation/continuing of purple teaming at their company.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
Devoops: DoJ Annual Cybersecurity Training Symposium Edition 2015Chris Gates
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
In a rare mash-up, DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates (carnal0wnage) and Ken Johnson (cktricky) will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. Everything from common misconfigurations to remote code execution will be presented. This is research to bring awareness to those responsible for securing a DevOps environment.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
SOURCE Boston --Attacking Oracle Web Applications with Metasploit & wXf
1. Attacking Oracle Web Applications
with Metasploit (and wXf)
Chris Gates
carnal0wnage
2. Whoami
• Chris Gates (CG)
– Twitter carnal0wnage
– Blog carnal0wnage.attackresearch.com
– Job Sr. Security Consultant for Rapid7
– Affiliations Attack Research, Metasploit Project
• Work
• Previous Talks
– wXf Web eXploitation Framework
– Open Source Information Gathering
– Attacking Oracle (via TNS)
– Client-Side Attacks
3
3. Why Are We Here?
• Here to talk about attacking oracle web
applications (middleware)
• What’s out there and how prevalent it is
• Why so much of it is unpatched
• Demo Metasploit (and wXf) auxiliary
modules to find and attack it
• Not talking about XSS – but there’s plenty!
4
7. You Pay For Patches & Updates
Most products are free downloads but you
pay for support and patches
• Back to complicated. Have you ever tried
to find anything on the Metalink site?
8
13. Oracle does not release POC code
Oracle does not release POC code
Oracle does not support researchers releasing
code
“As a matter of policy, Oracle will not provide additional
information about the specifics of vulnerabilities beyond what
is provided in the CPU or Security Alert notification, the pre-
installation notes, the readme files, and FAQs. Oracle provides
all customers with the same information in order to protect all
customers equally. Oracle will not provide advance notification
or "insider information" on CPU or Security Alerts to individual
customers. Finally, Oracle does not develop or distribute
active exploit code (or "proof of concept code") for
vulnerabilities in our products.”
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
14
14. Difficult patch / upgrade processes
Complex applications breeds a “If it works don't
touch it” mentality
15
15. Database Security Companies Don’t Share Info
Sorry, I have no *proof* of this, but go look at
their latest advisories and CPU analysis
• http://www.cvedetails.com/vendor/93/Oracle.html
To see what the rest of us get left to work with
16
24. What is Oracle Middleware?
Enterprise Resource Planning (ERP)
Oracle E-Business Suite*
Oracle Application Server 9i/10g/11i**
Oracle Reports/Forms
Oracle Portal
Oracle Financials/Supplier/Recruitment
For Oracle lots of different products…
For this talk I’m going to lump them all together
as “web applications”
*Technically Oracle considers E-Business Suite an “application” as it rides on top of OAS
**weblogic
25
25. Market Share
Big list of customers
http://www.oracle.com/customers/cust_list_atoz.html
28
26. Reach
By now we should agree there's a lot of Oracle
out there...
That's good right?
Except a lot of it is un-patched and vulnerable
And all ERP and sensitive sites are internal
right?
Should we be worried about all the exposed
Oracle?
29
28. Locating Oracle Servers
Numerous server header strings:
www.owasp.org/index.php/Testing_for_
Oracle
Solution:
oracle_version_scanner.rb
http_version does this too (just tells you
all headers, not just Oracle)
31
30. Finding Default Content
First step is to find useful “stuff”
Google/Bing useful (Google Dorks)
Issue is how to find content internal or
when its not indexed
Solution:
oracle_oas_scan.rb
33
31. Finding Default Content
• oracle_oas_scan looks for interesting pages related to
oracle application servers & tries to tell you why its
important.
34
32. Did You Know?
Most Oracle Middleware applications
come with lots of default content
Must be manually removed (no patch to
remove content)
Must know exactly where and what files
to delete
Tons of information disclosure
Sometimes exploitation potential or
credential leakage
35
33. Abusing Default Content Examples (DB)
• /demo/sql/jdbc/JDBCQuery.jsp
• Ships with Oracle 9.2 Database and installed by default
36
34. Abusing Default Content Examples (DB)
• /demo/sql/jdbc/JDBCQuery.jsp
• Select sys.database_name
• '1'='2' UNION SELECT sys.database_name, -500 FROM Dual
37
35. Abusing Default Content Examples (DB)
• /demo/sql/jdbc/JDBCQuery.jsp
• Select sys.database_name
• '1'='2' UNION SELECT sys.login_user, -500 FROM Dual
38
36. Abusing Default Content Examples (OAS)
• Oracle Application Server 10g DAV Authentication Bypass
CVE-2008-2138
• /dav_portal/portal/ directory is protected using basic
authentication. It is possible to bypass and access content
of dav_portal by adding a specially crafted cookie value in
the http request header.
39
41. Abusing Default Content Examples (OAS)
• /xsql/adhocsql/sqltoxml.html
• Now in all fairness, this one usually doesn't
work...db usually isn't set up. But sometimes it is :-)
44
59. Fun E-Business Vulns
• http://www.hacktics.com/content/advisories/AdvORA200
91214.html
62
60. Fun E-Business Vulns
• http://www.slideshare.net/rootedcon/joxean-koret-
hackproofing-oracle-financials-11i-r12-rootedcon-2010
63
61. Defenses
• Use my scanners (or for-pay oracle
scanners) and remove default content
• Mod_rewrite rules may help redirect
malicious requests for E-Business.
• Patch
• Am I big weenie if I recommend a WAF?
– Caveat, I have NO idea if WAFs check for any of
this stuff (but I hope they do)
64
62. Oracle iSQLPlus
• Web-based interface to the TNS Listener
– Available on Oracle Database 9 & 10
isqlplus_sidbrute
isqlplus_login
65
63. Oracle iSQLPlus
isqlplus_sidbrute.rb
Different POST requests for 9 vs 10
Module fingerprints version and chooses correct POST
Uses SID list already in Metasploit
Using error message returned by Oracle determines valid SID
Wrong SID:
ORA-12154: TNS: could not resolve service name
Right SID (wrong password):
ORA-01017: invalid username/password; logon denied
66
66. Oracle iSQLPlus
isqlplus_sidbrute.rb
Added bonus, by default iSQLPlus authenticates to the first SID in
the tnsnames.ora file. This means we can pass no SID and it will
try to auth to the top SID in the tnsnames.ora file
69
67. Oracle iSQLPlus
isqlplus_sidbrute.rb
Added bonus, by default isqlplus (9 & 10) authenticates to the
first SID in the tnsnames.ora file. This means we can pass no SID
and it will try to auth to the top SID in the tnsnames.ora file
70
68. Oracle iSQLPlus
isqlplus_login.rb
Once we have a valid SID start checking for default user/pass
accounts
71
70. Oracle iSQLPlus
isqlplus_login.rb
Works on Oracle DB 10 as well
73
71. Defenses
• If you aren’t using...Remove it
• Why someone put full database access inside a web app
with just a user/pass is beyond me.
• Removed in 11g
74
72. Oracle Portal
Web based PL/SQL applications are enabled by the PL/SQL
Gateway, which is the component that translates web
requests into database queries.
Products that use the PL/SQL Gateway include, but are not
limited to, the Oracle HTTP Server, eBusiness Suite, Portal,
HTMLDB, WebDB and Oracle Application Server
Several software implementations, ranging from the early
web listener product to the Apache mod_plsql module to the
XML Database (XDB) web server.
75
74. Oracle Portal
• Essentially the PL/SQL Gateway simply acts as a proxy
server taking the user's web request and passes it on to
the database server where it is executed.
1. The web server accepts a request from a web client and determines
if it should be processed by the PL/SQL Gateway.
2. The PL/SQL Gateway processes the request by extracting the
requested package name, procedure, and variables.
3. The requested package and procedure are wrapped in a block of
anonymous PL/SQL, and sent to the database server.
4. The database server executes the procedure and sends the results
back to the Gateway as HTML.
5. The gateway sends the response, via the web server, back to the
client.
77
75. Oracle Portal
URLs for PL/SQL web applications are normally easily
recognizable and generally start with the following
http://www.example.com/pls/xyz
http://www.example.com/xyz/owa
http://www.example.com/xyz/portal
In this URL, xyz is the Database Access Descriptor, or
DAD. A DAD specifies information about the database
server so that the PL/SQL Gateway can connect. It
contains information such as the TNS connect string, the
user ID and password, authentication methods, etc
78
77. Oracle Portal
• Database Access Descriptors
Similar to SIDs, required to interact with the
portal.
Lots of defaults but can be anything alphanumeric
Common Defaults:
SIMPLEDAD ORASSO
HTMLDB SSODAD
PORTAL PORTAL2
PORTAL30 PORTAL30_SSO
DAD OWA
PROD APP
80
78. Oracle Portal
• oas_cgi_scan will find common Portal instances
81
79. Oracle Portal
• oas_cgi_scan will find common Portal instances
82
80. Oracle Portal
• oas_cgi_scan will find common Portal instances
83
81. Oracle DAD Scanner
• oracle_dad_scanner.rb
– Scans for common Oracle DADs
84
82. Oracle DAD Scanner
• oracle_dad_scanner.rb
– Scans for common Oracle DADs
85
83. Oracle DAD Scanner
• oracle_dad_scanner.rb
– Scans for common Oracle DADs
– Set VERBOSE to false to just see found DADs
86
85. Oracle Portal
• Verify mod_plsql gateway is running
• Null is valid function and should return a 200
• Something random is not, and should return a 404
– http://www.example.com/pls/dad/null
– http://www.example.com/pls/dad/nosuchfunction
• If the server responds with a 200 OK response for the first
and a 404 Not Found for the second then it indicates that
the server is running the PL/SQL Gateway.
• http://www.owasp.org/index.php/Testing_for_Oracle
88
87. Oracle Portal
• It is possible to exploit vulnerabilities in the PL/SQL
packages that are installed by default in the database
server. How you do this depends on the version of the
PL/SQL Gateway.
• Examples:
– http://www.example.com/pls/dad/OWA_UTIL.CELLSPRINT?
P_THEQUERY=SELECT+USERNAME+FROM+ALL_USERS
– http://www.example.com/pls/dad/CXTSYS.DRILOAD.VALIDATE_ST
MT?SQLSTMT=SELECT+1+FROM+DUAL
– http://server.example.com/pls/dad/orasso.home?);execute+imm
ediate+:1;--=select+1+from+dual
91
88. Oracle Portal Exploitation
• oracle_modplsql_pwncheck.rb
• Test the various PL/SQL gateway exploit methods
• Based on notsosecure.com’s oap.pl http://code.google.com/p/oaphacker/
92
89. Oracle Portal Exploitation
• oracle_modplsql_pwncheck.rb
• Test the various PL/SQL gateway exploit methods
93
96. Defenses
• Stop here…
• The rest is just for fun.
101
97. Oracle Portal Exploitation
• But I want shell! Or at least access to tasty data
• Next step is to escalate to DBA via privilege escalation, see
oracle Defcon 17 talk...
• Dependent on backend database version....if its patched,
you're out of luck
• Most functions run as PORTAL_PUBLIC user who is a limited
account
• However, some functions run as PORTAL user who is DBA
102
98. Oracle Portal Exploitation
• SQL Injection in function owned by PORTAL
• http://server/portal/pls/portal/PORTAL.wwexp_api_engine.action?p_otype=FO
LDER&p_octx=FOLDERMAP.1_6&p_datasource_data=document.SEARCH23915_
PAGESEARCH_146202305.ft&p_datasource_data=document.SEARCH23915_PAG
ESEARCH_146202305.fi&p_datasource_data=document.SEARCH23915_PAGESE
ARCH_146202305.fs&p_datasource_data=nls_sub_domain%3Dtext%2Cnls_nam
e%3Dfolderplpopup&p_domain=wwc&p_sub_domain=FOLDERMAP&p_back_ur
l=PORTAL.wwexp_render.show_tree%3Fp_otype%3DSITEMAP%26p_domain%3
Dwwc%26p_sub_domain%3DFOLDERMAP%26p_headerimage%3D%2Fimages%
2Fbhfind2.gif%26p_show_banner%3DNO%26p_show_cancel%3DNO%26p_title
%3DBrowse%2520Pages%26p_open_item%3D%26p_open_items%3D0.SITEMAP
.FOLDERMAP.0_-
1&p_action=show(wwexp_datatype.g_exp_param);execute%20immediate%20'
grant dba to public';end;--
103
111. Where To Get The Code
• iSQL*Plus modules are in the trunk now
• MSF Modules
– https://github.com/carnal0wnage/carnal0wnage-code
• Also in wXf (Web eXploitation Framework)
– https://github.com/WebExploitationFramework/wXf
116