Penetration Testing mailing list archives
Re: Oracle Application Server 10g question
From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 16 Mar 2007 14:43:25 +0100 (ora solare Europa occidentale)
Lee, On Wed, 14 Mar 2007, Lee Lawson wrote:
Hi all, I am conducting a pen test of a web application built on Oracle Application Server 10g. Aside from all of the problems that this system has with XSS, especially within the SSO, I have a question regarding a specific error message that is returned.
Hrm... You're testing an interesting and powerful beast, with plenty of dangerous vulnerabilities, beside the obvious XSS issues. I'd strongly suggest you to take a look at:
http://www.owasp.org/index.php/Testing_for_Oracle http://www.ngssoftware.com/papers/hpoas.pdf (old but still interesting)David Litchfield's Oracle Hacker's Handbook is also an excellent resource on this subject.
Yeah, i know this doesn't actually answer your original question, but hopefully it will help you to dig a bit more into exploitation of the PL/SQL gateway;)
Ciao, -- Marco Ivaldi, OPST Chief Security Officer Data Security Division @ Mediaservice.net Srl http://mediaservice.net/ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Oracle Application Server 10g question Lee Lawson (Mar 14)
- Re: Oracle Application Server 10g question Joxean Koret (Mar 18)
- Re: Oracle Application Server 10g question Marco Ivaldi (Mar 18)
- <Possible follow-ups>
- Oracle Application Server 10g question Zed Qyves (Mar 18)