Most application developers underestimate the risk of SQL injection attacks against Web applications using Oracle as the back-end database. Our audits of custom web applications show many application developers are not fully understand the risk of attacks by SQL injection and simple techniques used to prevent such attacks.
This document is intended for application developers, database administrators, and application of listeners to highlight the risk of attacks by SQL injection and demonstrate why web applications are vulnerable May. It is not intended to be a tutorial on the execution of SQL attacks and not give instructions on carrying out these attacks.
SQL Injection is an attack base is used to obtain unauthorized access to a database or to obtain information directly from the database. The principles underlying a SQL injection are simple and these types of attacks are easy to perform and master.
We believe that Web applications using Oracle as a back-end database are more vulnerable to attacks by SQL injection that most believe that application developers. Our application audits have found numerous web applications vulnerable to SQL injection even if well-established coding standards have been established during the development of many of these applications. Function-based SQL injection attacks are very worrying, because these attacks do not require knowledge of the application and can be easily automated.
Oracle has generally faired, and attacks against SQL injection because there is no support multiple SQL (SQL Server and PostgreSQL), no statement EXECUTION (SQL Server), and no function INTO OUTFILE (MySQL). Also, using bind variables in Oracle environments for performance reasons provides the most effective protection against attacks by Oracle SQL injection May provide stronger and more inherent protections against attacks by SQL injection than other bases data, however, Oracle-based applications without defenses against these types of attacks may still be vulnerable.
Download An Introduction to SQL Injection Attacks for Oracle Developers
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment