Techie Ranch

Oracle Security Seminar

·

This morning I was at a security seminar host by Oracle and I just wanted to talk about some of the interesting points raised.

To my surprise what I found that there are quite a few sites out there that haven’t even bothered to take basic steps to ensuring their site is secure. A lot of hackers still succeed with simple URL manipulation and directory traversal. Just goes to show RTFM of your server could save you a lot of headache.

Another common source of hacks was to use that hidden harmless backup files that nobody cares about. If you are used to UNIX systems you know that backed-up files end might end with ~. Well that’s another point of attack. Say for example you have a php file (user_account.php) with the frist few lines connects to the DB and the script goes on to return user information. Potentially the file could start with something like:


<?php

$dbhost = 'localhost';

$dbuser = 'root';

$dbpass = 'password';

$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die  ('Error connecting to mysql');

Calling the php file over the web server will return html and you won’t even know about the db connection but what happens if someone had left a backup of that file named user_account.php.bak? Or easily done if modified the file in VIM whereby it will create a backup called user_account.php~.  Well calling either user_account.php~ or user_account.php.bak your web server won’t know how to render such requests and will default to plain text…. and voila DB code right there. Proper version control and basic web server configuration could easily prevent this.

The more interesting hacks involved XSS (abbreviation for Cross Site Scripting) and what it comes down to is properly escaping all forms fields that is including files uploads. Even better use a framework that does this for you (i.e. Struts output mechanisms such as <bean:write … >, or in <c:out … > use the default JSTL escapeXML=”true” attribute). The problem with XSS is that some genuine tool use that technique to embed valid scripts on clients machines; Google Analytics is one of them if am not mistaken.

Concluding the relative easy which one was able to infect a site was truly amazing and the advent of social networks the spread of these attack serve only to inflame the situation. Developers need to be educated and trained to prevent hacker exploit these basic techniques.

The second part of the seminar was a sales pitch so the less about that the better ;).

Follow me on: YouTube, LinkedIn, Twitter, BlueSky, Mastodon

Leave a comment

Latest episodes