Hackproofing Oracle Application Server

Introduction

Contrary to claims by Oracle Corporation C.E.O., Larry Ellison, Oracle 9 is breakable. Perhaps Oracle’s “Unbreakable” marketing campaign was more to show their commitment to getting close to producing a secure product, and indeed, Oracle do take security very seriously. Oracle product has undergone and passed fourteen independent security evaluations including the Common Criteria assessment. In the database world this is quite an achievement with all of Oracle’s competitors far behind. Whilst Oracle 9 has not yet been certified it is no doubt currently being assessed. In the mean time this paper will hopefully help Oracle customers get closer to the secure environment they were promised.

Some would consider writing a white paper on securing Oracle a task worthy of Sisyphus himself. Oracle Corporation develop hundreds of products and each product could have their own dedicated paper. Limiting the scope of this document, then, we will examine the most common environment - an Oracle web front end feeding into an Oracle database server. The main emphasis will be on the web front end, however, we will touch briefly upon the database as well. A more in-depth look at the database security will be reserved for another paper.
This approach has been taken, as the web server is the first port of call for an attacker. This paper will show how an attacker can break into an Oracle-based site, gaining control of the web front end and from there the database server. With each attack explained, the defense against it will be covered. Whilst some of the issues discussed in this paper require only a tweak to a configuration file, where security patches are required to resolve a problem they may be accessed from the Oracle Metalink site: http://metalink.oracle.com/.

Oracle Architecture

A typical Oracle site will comprise of a firewall protecting the Oracle web server and database server. The Oracle web server will be running a bespoke application written in house by the organization that owns the site and will take advantage of one of the feature rich application environments provided with Oracle Application Server. It may be a PL/SQL application, JSP, XSQL, a java servlet or a SOAP based application. (Whilst perl, fastcgi and others are supported these are not often found being used ‘in the wild’ and so will not be covered.) On receiving a client request the web server application dispatches it and if necessary connects to the database server to be furnished with dynamic content.

Download Hackproofing Oracle Application Server

Related PDF Manuals Guide:
Oracle Database Listener Security Guide
Oracle HTML DB Installation Guide
Underground Oracle and PHP Manual
Oracle Database Upgrade Guide
Oracle Workflow Developer’s Guide
Deployment Guide: Oracle on Microsoft Windows and Dell PowerEdge Servers
Oracle Installation Guide on Windows NT/2000
Guide to Auditing in Oracle Applications