Pete Finnigan's Oracle Security Forum (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
Oracle Security >> Oracle Security >> Good application for a security workshop
(Message started by: Pete Finnigan on Dec 21st, 2010, 8:49am)

Title: Good application for a security workshop
Post by Pete Finnigan on Dec 21st, 2010, 8:49am
I'm working on a one-day workshop called "Hack your own database" to show DBAs why security is important, but in a different way. Not with the usual rethoric, but by showing them they can hack their databases too and therefor should protect them.

So I'm thinking about creating a workshop environment with Oracle 10g or 11g with the usual config mistakes and some kind of application. I'd really like to have a simple application in which I could demonstrate what SQL Injection is. Of course it should look like an application and have a  schema in the database. And it should be one without the effort of days of programming.

Any idea what would be a great (vulnerable) tool for this?

Title: Re: Good application for a security workshop
Post by Pete Finnigan on Dec 23rd, 2010, 5:40am
There's a very basic example of one here, including source code:

http://www.codingspace.org/2009/04/teach-me-sql-injection/

It is mySQL based so you'd need a few changes for Oracle but nothing compared with coding up something yourself.


Title: Re: Good application for a security workshop
Post by Pete Finnigan on Jan 6th, 2011, 11:59am
Hi Marcel-Jan,

I use orablog for my training classes which is wordpress ported to use Oracle as its database. Its an old wordpress but its not rich in features and also is not designed to demo SQL Injection. I can however get it to error so its not a stones throw to get it to SQL Inject also.

email me if you want a copy.

cheers

Pete

Title: Re: Good application for a security workshop
Post by Pete Finnigan on Jan 12th, 2011, 12:49pm
A collegue has offered to make a very simple Java application for me that can be misused with SQL injection.

I've tried it and it is indeed very simple, but it works.



Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board