DBSecWorx Code Library


wwwlibrary
Home / Resources / Code Library
We have identified a number of Oracle built-ins that are critically important for creating and maintaining a secure environment. Some can be deployed to access data, some to probe their environment, some to trigger a Denial of Service attack. Others can and should be deployed to mitigate dangers and minimize the attack surface. If you are not familiar with them you cannot protect your database or your data.

While much of the basic information here is identical to that in Morgan's Library every page here at
DBSecWorx contains content and working demos specific to identifying and addressing security issues.
 
Topic Versions Updated Date Comment
Accessible By Clause 12.1 - 19.3 24-Jun-2019 Keep PL/SQL code from being executed independently rather than only as part of the application?
Data Control Language (DCL) All 10-Jun-2019 DCL include the GRANT and REVOKE statements. This page is a quick security review.
Data Definition Language (DDL) All 14-Jun-2019 Misuse of DDL commands can result in Denial of Service, Outages, and assist data theft.
DBMS_ADVANCED_REWRITE 10.1 - 19.3 24-Jun-2019 You wrote good code, tested it thoroughly, Too bad the optimizer isn't running it.
DBMS_ASSERT 10.2 - 19.3 27-May-2019 An essential tool tool that, properly used, puts an end to SQL Injection attacks.
DBMS_AUDIT_MGMT 11.1 - 19.3 31-May-2019 API to managing database auditing, be sure you carefully monitor its use.
DBMS_AUDIT_UTIL 12.2 - 19.3 09-Jun-2019 Contains functions for formatting the output to audit views.
DBMS_CRYPTO 10.1 - 19.3 24-Jun-2019 The issue with this package is that the docs are incomplete and what you don't know is dangerous.
DBMS_CRYPTO_FFI 12.1 - 19.3 25-Jun-2019 There are no known issues specific to this package but likely risks associated with DBMS_CRYPTO.
DBMS_CRYPTO_INTERNAL 12.2 - 19.3 07-Jul-2019 There are no known issues specific to this package but likely risks associated with DBMS_CRYPTO.
DBMS_LOG 12.1 - 19.3 12-Jul-2019 A built-in API for writing to the ALERT and/or System logs.
DBMS_LOGMNR 8.1.5 - 19.3 08-Jul-2019 Every database, relational/non-relational has a transaction log. the more you learn the safer you are.
DBMS_METADATA 9.0 - 19.3 01-Jun-2019 Sometimes it is hard to choose which of the Oracle packages is the worst security compromise.
DBMS_PQ_INTERNAL 12.2 - 19.3 08-Jul-2019 An undocumented unsupported package and we are not sure what it can do so be sure n one uses it.
DBMS_PRIVILEGE_CAPTURE 12.1 - 19.3 11-Jul-2019 Knowing who has what privileges can assist or thwart an attack.
DBMS_PSWMG_IMPORT N/A - 19.3 14-Jun-2019 Undocumented buy has capabilities related to importing and purging password history.
DBMS_SQLDIAG 11.1-19.3 27-Jul-2019 How could SQL Diagnostics be an issue? In many many ways.
DBMS_SQLQ 19.3 28-Jun-2019 New functionality in 19c and again Oracle grants execute to PUBLIC: An easy Denial of Service Attack
DBMS_UTILITY 7.3.4 - 19.3 29-May-2019 Much of this package is essentially harmless utilities but there is danger hiding in their too.
DBMS_WARNING 10.1 - 19.3 03-Jun-2019 PL/SQL Warnings are disabled by default, they shouldn't be. This is the API for managing them.
DBMS_WARNING_INTERNAL 10.1 - 19.3 14-Jun-2019 An undocumented supporting package for DBMS_WARNINGS.
DBMS_XSLPROCESSOR 10.1 - 19.3 27-May-2019 This package contains a vulnerability that can aide data exfiltration if not addressed.
Lockdown Profiles 12.2 - 19.3 03-Jul-2019 This single feature is important enough to justify moving to the new Container architecture.
Native Dynamic SQL 8.1.5 - 19.3 03-Jun-2019 Constructing active SQL from strings is very powerful but can also hide dangerous code.
Object Privileges All 26-May-2019 Some privileges have changed since version 7.3.4 but many have not and the principles are the same.
OWM_ASSERT_PKG 12.2 - 19.3 14-Jul-2019 OWM stands for Oracle Wallet Manager ..."ASSERT" indicates a risk of SQL Injection attack.
PL/SQL Warnings 10.1 - 19.3 03-Jun-2019 Invaluable and essentially never enabled. You should enable them in every database you have.
Profiles 7.3.4 - 19.3 10-Jun-2019 Profiles are a powerful security tool when used correctly.
Recycle Bin 10.1 - 19.3 04-Jul-2019 Dropping a table does not mean that your data is gone.
Ref Cursors 7.3 - 19.3 08-Jun-2019 Constructing active SQL from strings is very powerful but can also hide dangerous code.
Startup Parameters All 19-Aug-2019 Many startup (initialization) parameters impact database security. New
System Privileges All 26-May-2019 Some privileges have changed since version 7.3.4 but many have not and the principles are the same.
SYS_CONTEXT Functions ? - 19.3 15-Jul-2019 Valuable functions that should be incorporated into auditing, exception handling, and logging
UTL_SMTP 8.1.7 - 19.3 06-Jun-2019 This documented package can, by default, send data directly from your database to anywhere.
UTL_TCP 8.1.7 - 19.3 06-Jun-2019 What the harm in making a TCP/IP connection from your database without authorization? Find out.
 
DBSecWorx secures data and databases
 

 Copyright © 2019
DBSecWorx All rights reserved.
 
Privacy & Cookies Policy Privacy Shield Legal