Testing for Oracle
In this section is described how to test an Oracle DB from the web.
Description of the Issue
Web based PL/SQL applications are enabled by the PL/SQL Gateway - it is the component that translates web requests into database queries. Oracle has developed a number of different software implementations however ranging from the early web listener product to the Apache mod_plsql module to the XML Database (XDB) web server. All have their own quirks and issues each of which will be thoroughly investigated in this paper. Products that use the PL/SQL Gateway include, but are not limited to, the Oracle HTTP Server, eBusiness Suite, Portal, HTMLDB, WebDB and Oracle Application Server.
Black Box testing and example
Understanding how the PL/SQL Gateway works
Essentially the PL/SQL Gateway simply acts as a proxy server taking the user's web request and passing it on to the database server where it is executed.
1) Web server accepts request from a web client and determines it should be processed by the PL/SQL Gateway 2) PL/SQL Gateway processes request by extracting the requested package name and procedure and variables 3) Requested package and procedure is wrapped in a block on anonymous PL/SQL and sent to the database server. 4) Database server executes the procedure and sends the results back to the Gateway as HTML 5) Gateway via the web server sends response back to the client
Understaning this is important - the PL/SQL code does not exist on the web server but, rather, in the database server. This means that any weaknesses in the PL/SQL Gateway or any weaknesses in the PL/SQL application, when exploited, give an attacker direct access to the database server - no amount of firewalls will prevent this.
URLs for PL/SQL web applications are normally easily recognizable and generally start with the following (xyz can be any string and represents a Database Access Descriptor, which you will learn more about later):
http://www.example.com/pls/xyz http://www.example.com/xyz/owa http://www.example.com/xyz/plsql
While the second and third of these examples represent URLs from older versions of the PL/SQL Gateway, the first is from more recent versions running on Apache. In the plsql.conf Apache configuration file, /pls is the default, specified as a Location with the PLS module as the handler. The location need not be /pls, however. The absence of a file extension in a URL could indicate the presence of the Oracle PL/SQL Gateway. Consider the following URL:
If xxxxx.yyyyy were replaced with something along the lines of “ebank.home,” “store.welcome,” “auth.login,” or “books.search,” then there’s a fairly strong chance that the PL/SQL Gateway is being used. It is also possible to precede tha requested package and procedure with the name of the user that owns it - i.e. the schema - in this case the user is "webuser":
In this URL, xyz is the Database Access Descriptor, or DAD. A DAD specifies information about the database server so that the PL/SQL Gateway can connect. It contains information such as the TNS connect string, the user ID and password, authentication methods, and so on. These DADs are specified in the dads.conf Apache configuration file in more recent versions or the wdbsvr.app file in older versions. Some default DADs include the following:
SIMPLEDAD HTMLDB ORASSO SSODAD PORTAL PORTAL2 PORTAL30 PORTAL30_SSO TEST DAD APP ONLINE DB OWA
Determining if the PL/SQL Gateway is running
When performing an asssessment against a server it's important first to know what technology you're actually dealing with. If you don't already know, for example in a black box assessment scenario, then the first thing you need to do is work this out. Recognizing a web based PL/SQL application is pretty easy. Firstly there is the format of the URL and what it looks like, discussed above. Beyond that there are a set of simple tests that can be performed to test for the existence of the PL/SQL Gateway.
Server response headers
The web server's response headers are a good indicator as to whether the server is running the PL/SQL Gateway. The table below lists some of the typical server response headers:
Oracle-Application-Server-10g Oracle-Application-Server-10g/10.1.2.0.0 Oracle-HTTP-Server Oracle-Application-Server-10g/126.96.36.199.0 Oracle-HTTP-Server Oracle-Application-Server-10g OracleAS-Web-Cache-10g/188.8.131.52.0 (N) Oracle-Application-Server-10g/184.108.40.206.0 Oracle HTTP Server Powered by Apache Oracle HTTP Server Powered by Apache/1.3.19 (Unix) mod_plsql/220.127.116.11.3a Oracle HTTP Server Powered by Apache/1.3.19 (Unix) mod_plsql/18.104.22.168.3d Oracle HTTP Server Powered by Apache/1.3.12 (Unix) mod_plsql/22.214.171.124.5e Oracle HTTP Server Powered by Apache/1.3.12 (Win32) mod_plsql/126.96.36.199.5e Oracle HTTP Server Powered by Apache/1.3.19 (Win32) mod_plsql/188.8.131.52.3c Oracle HTTP Server Powered by Apache/1.3.22 (Unix) mod_plsql/184.108.40.206.3b Oracle HTTP Server Powered by Apache/1.3.22 (Unix) mod_plsql/220.127.116.11.0 Oracle_Web_Listener/18.104.22.168.0EnterpriseEdition Oracle_Web_Listener/22.214.171.124EnterpriseEdition Oracle_Web_Listener/126.96.36.199.0EnterpriseEdition Oracle_Web_listener188.8.131.52.0/2.14FC1 Oracle9iAS/9.0.2 Oracle HTTP Server Oracle9iAS/184.108.40.206 Oracle HTTP Server
The NULL test
In PL/SQL "null" is a perfectly acceptable expression:
SQL> BEGIN 2 NULL; 3 END; 4 / PL/SQL procedure successfully completed.
We can use this to test if the server is running the PL/SQL Gateway. Simple take the DAD and append NULL then append NOSUCHPROC:
If the server responds with a 200 OK response for the first and a 404 Not Found for the second then it indicates that the server is running the PL/SQL Gateway.
Gray Box testing and example
Testing for Authentication credential management:
- Unlimited failed login attempts
Check the FAILED_LOGIN_ATTEMPTS parameter:
This can be achieved by ht e following SQL:
List security related profile information
conn / as sysdba col profile format a20 col limit format a20 select profile, resource_name, limit from dba_profiles where resource_name like '%PASSWORD%' or resource_name like '%LOGIN%'/
The FAILED_LOGIN_ATTEMPTS parameter is used to limit to the number of failed login attempts allowed before a user account is locked by the data base.
FAILED_LOGIN_ATTEMPTS can be set to a specific number of attempts; to UNLIMITED (never lock an account), to DEFAULT, which refers to the value indicated in the DEFAULT profile.
Setting this value reduces the potential success of a brute force attack and alerts. Once an account is locked it can not be logged into for a defined number of days or until the administrator unlocks the account.
- Password Expiry
- Password reuse
- Unencrypted Database Link Password
- Default Roles
- PUBLIC Object Permissions
- UTL Package Permissions
- Default Tablespace
OWASP Testing Guide v2
Here is the OWASP Testing Guide v2 Table of Contents