Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Oracle Application Server 10g question
From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 16 Mar 2007 14:43:25 +0100 (ora solare Europa occidentale)

Lee,

On Wed, 14 Mar 2007, Lee Lawson wrote:

Hi all,

I am conducting a pen test of a web application built on Oracle
Application Server 10g.  Aside from all of the problems that this
system has with XSS, especially within the SSO, I have a question
regarding a specific error message that is returned.

Hrm... You're testing an interesting and powerful beast, with plenty of dangerous vulnerabilities, beside the obvious XSS issues. I'd strongly suggest you to take a look at:

http://www.owasp.org/index.php/Testing_for_Oracle
http://www.ngssoftware.com/papers/hpoas.pdf (old but still interesting)

David Litchfield's Oracle Hacker's Handbook is also an excellent resource on this subject.

Yeah, i know this doesn't actually answer your original question, but hopefully it will help you to dig a bit more into exploitation of the PL/SQL gateway;)

Ciao,

--
Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]