Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Oracle Application Server 10g question
From: Marco Ivaldi <raptor () mediaservice net>
Date: Fri, 16 Mar 2007 14:43:25 +0100 (ora solare Europa occidentale)


On Wed, 14 Mar 2007, Lee Lawson wrote:

Hi all,

I am conducting a pen test of a web application built on Oracle
Application Server 10g.  Aside from all of the problems that this
system has with XSS, especially within the SSO, I have a question
regarding a specific error message that is returned.

Hrm... You're testing an interesting and powerful beast, with plenty of dangerous vulnerabilities, beside the obvious XSS issues. I'd strongly suggest you to take a look at:

http://www.ngssoftware.com/papers/hpoas.pdf (old but still interesting)

David Litchfield's Oracle Hacker's Handbook is also an excellent resource on this subject.

Yeah, i know this doesn't actually answer your original question, but hopefully it will help you to dig a bit more into exploitation of the PL/SQL gateway;)


Marco Ivaldi, OPST
Chief Security Officer    Data Security Division
@ Mediaservice.net Srl    http://mediaservice.net/

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]