Testing for Oracle

From OWASP
Revision as of 10:55, 1 December 2006 by Mmeucci (Talk | contribs)

Jump to: navigation, search

[Up]
OWASP Testing Guide v2 Table of Contents

Contents


Brief Summary


In this section is described how to test an Oracle DB from the web.

Description of the Issue


Web based PL/SQL applications are enabled by the PL/SQL Gateway - it is the component that translates web requests into database queries. Oracle has developed a number of different software implementations however ranging from the early web listener product to the Apache mod_plsql module to the XML Database (XDB) web server. All have their own quirks and issues each of which will be thoroughly investigated in this paper. Products that use the PL/SQL Gateway include, but are not limited to, the Oracle HTTP Server, eBusiness Suite, Portal, HTMLDB, WebDB and Oracle Application Server.

Black Box testing and example

Understanding how the PL/SQL Gateway works
Essentially the PL/SQL Gateway simply acts as a proxy server taking the user's web request and passing it on to the database server where it is executed.

1) Web server accepts request from a web client and determines it should be processed by the PL/SQL Gateway 2) PL/SQL Gateway processes request by extracting the requested package name and procedure and variables 3) Requested package and procedure is wrapped in a block on anonymous PL/SQL and sent to the database server. 4) Database server executes the procedure and sends the results back to the Gateway as HTML 5) Gateway via the web server sends response back to the client

Understaning this is important - the PL/SQL code does not exist on the web server but, rather, in the database server. This means that any weaknesses in the PL/SQL Gateway or any weaknesses in the PL/SQL application, when exploited, give an attacker direct access to the database server - no amount of firewalls will prevent this.

URLs for PL/SQL web applications are normally easily recognizable and generally start with the following (xyz can be any string and represents a Database Access Descriptor, which you will learn more about later):

http://www.example.com/pls/xyz
http://www.example.com/xyz/owa
http://www.example.com/xyz/plsql

While the second and third of these examples represent URLs from older versions of the PL/SQL Gateway, the first is from more recent versions running on Apache. In the plsql.conf Apache configuration file, /pls is the default, specified as a Location with the PLS module as the handler. The location need not be /pls, however. The absence of a file extension in a URL could indicate the presence of the Oracle PL/SQL Gateway. Consider the following URL:

http://www.server.com/aaa/bbb/xxxxx.yyyyy

If xxxxx.yyyyy were replaced with something along the lines of “ebank.home,” “store.welcome,” “auth.login,” or “books.search,” then there’s a fairly strong chance that the PL/SQL Gateway is being used. It is also possible to precede tha requested package and procedure with the name of the user that owns it - i.e. the schema - in this case the user is "webuser":

http://www.server.com/pls/xyz/webuser.pkg.proc

In this URL, xyz is the Database Access Descriptor, or DAD. A DAD specifies information about the database server so that the PL/SQL Gateway can connect. It contains information such as the TNS connect string, the user ID and password, authentication methods, and so on. These DADs are specified in the dads.conf Apache configuration file in more recent versions or the wdbsvr.app file in older versions. Some default DADs include the following:

SIMPLEDAD
HTMLDB
ORASSO
SSODAD
PORTAL
PORTAL2
PORTAL30
PORTAL30_SSO
TEST
DAD
APP
ONLINE
DB
OWA

Determining if the PL/SQL Gateway is running
When performing an asssessment against a server it's important first to know what technology you're actually dealing with. If you don't already know, for example in a black box assessment scenario, then the first thing you need to do is work this out. Recognizing a web based PL/SQL application is pretty easy. Firstly there is the format of the URL and what it looks like, discussed above. Beyond that there are a set of simple tests that can be performed to test for the existence of the PL/SQL Gateway.

Server response headers
The web server's response headers are a good indicator as to whether the server is running the PL/SQL Gateway. The table below lists some of the typical server response headers:

Oracle-Application-Server-10g
Oracle-Application-Server-10g/10.1.2.0.0 Oracle-HTTP-Server
Oracle-Application-Server-10g/9.0.4.1.0 Oracle-HTTP-Server
Oracle-Application-Server-10g OracleAS-Web-Cache-10g/9.0.4.2.0 (N)
Oracle-Application-Server-10g/9.0.4.0.0
Oracle HTTP Server Powered by Apache
Oracle HTTP Server Powered by Apache/1.3.19 (Unix) mod_plsql/3.0.9.8.3a
Oracle HTTP Server Powered by Apache/1.3.19 (Unix) mod_plsql/3.0.9.8.3d
Oracle HTTP Server Powered by Apache/1.3.12 (Unix) mod_plsql/3.0.9.8.5e
Oracle HTTP Server Powered by Apache/1.3.12 (Win32) mod_plsql/3.0.9.8.5e
Oracle HTTP Server Powered by Apache/1.3.19 (Win32) mod_plsql/3.0.9.8.3c
Oracle HTTP Server Powered by Apache/1.3.22 (Unix) mod_plsql/3.0.9.8.3b 
Oracle HTTP Server Powered by Apache/1.3.22 (Unix) mod_plsql/9.0.2.0.0 
Oracle_Web_Listener/4.0.7.1.0EnterpriseEdition
Oracle_Web_Listener/4.0.8.2EnterpriseEdition
Oracle_Web_Listener/4.0.8.1.0EnterpriseEdition
Oracle_Web_listener3.0.2.0.0/2.14FC1
Oracle9iAS/9.0.2 Oracle HTTP Server
Oracle9iAS/9.0.3.1 Oracle HTTP Server

The NULL test
In PL/SQL "null" is a perfectly acceptable expression:

SQL> BEGIN
 2  NULL;
 3  END;
 4  /

PL/SQL procedure successfully completed.

We can use this to test if the server is running the PL/SQL Gateway. Simple take the DAD and append NULL then append NOSUCHPROC:

http://www.example.com/pls/dad/null
http://www.example.com/pls/dad/nosuchproc

If the server responds with a 200 OK response for the first and a 404 Not Found for the second then it indicates that the server is running the PL/SQL Gateway.


Result Expected:
...

Gray Box testing and example

Testing for Authentication credential management:

  • Unlimited failed login attempts

Check the FAILED_LOGIN_ATTEMPTS parameter:

This can be achieved by ht e following SQL:

List security related profile information

conn / as sysdba
col profile format a20 
col limit   format a20
select profile, resource_name, limit 
from   dba_profiles
where  resource_name like '%PASSWORD%' 
  or  resource_name like '%LOGIN%'/


The FAILED_LOGIN_ATTEMPTS parameter is used to limit to the number of failed login attempts allowed before a user account is locked by the data base.

FAILED_LOGIN_ATTEMPTS can be set to a specific number of attempts; to UNLIMITED (never lock an account), to DEFAULT, which refers to the value indicated in the DEFAULT profile.

Setting this value reduces the potential success of a brute force attack and alerts. Once an account is locked it can not be logged into for a defined number of days or until the administrator unlocks the account.

  • Password Expiry
  • Password reuse
  • Unencrypted Database Link Password
  • Default Roles
  • PUBLIC Object Permissions
  • UTL Package Permissions
  • Default Tablespace

Result Expected:
...

References

Whitepapers
...
Tools
...


OWASP Testing Guide v2

Here is the OWASP Testing Guide v2 Table of Contents