Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 57 visitors online    

Pete Finnigan's Oracle security weblog


Home » Archives » February 2009 » New version of Fuzzor available

[Previous entry: "Details of a 10g PL/SQL Unwrapper available"] [Next entry: "Instrumentation - a god send for speed freaks - a god send for data thieves"]

New version of Fuzzor available

February 4th, 2009 by Pete

Post to del.icio.us   Post to Furl   Digg!

Slavik the CTO of Sentrigo has today released a new version of his free Fuzzor tool. This is a fuzzer (note the "e" in the tool type, the "o" in Slaviks name for it is intended to represent the big "O" from Oracle) that can be used to test PL/SQL code in an Oracle database whether its wrapped or not.

We are quite limited really in terms of free or commercial tools specifically available to test the PL/SQL code we deploy for security vulnerabilities such as SQL Injection. There are two types of tools that could exist; static analysis tools or dynamic tools. Slavik's Fuzzor is a dynamic tool. That means you install it and run it against the code in the database and you basically "see" if you can make the code error by sending large amounts of pseudo random input to the procedures/functions/packages being tested.

The tool is configurable, FREE on the GPL3 license and very easy to use. We must exercise caution here:

Do not run this tool on a production database or any database you would like to keep. It should be run on a specific test system only as its purpose is to dynamically test code by running it


This is a great tool that can be run to test the code you have written internally in your organisations or to test third party vendor code. It is very easy to use and the reports are easy to understand. This release version of the tool is now available from Sentrigo's website and involves a simple registration process to get it. There has been a couple of major changes since I last talked about the tool in a post titled "A PL/SQL Fuzzer / Fuzzor". Slavik summarises these as:

* Better functionality when working with types (objects, tables, PL/SQL records, etc.)
* A feature to generate automatic Hedgehog security rules from the scanning results. For example, if you find a vulnerability, but you are unable to fix it (ie, you don’t own the code, the code is wrapped or you require lengthy QA cycles) you can now automatically protect the vulnerable code by installing Hedgehog Standard and importing the generated rules.

I’ve also revised the report to be much more concise and readable.


The Fuzzor is available from the download page.

February 2009
SMTWTFS
1234567
891011121314
15161718192021
22232425262728

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Search weblog

Home and Archives

Weblog Home
Weblog Archives

Recommended reading

Oracle Security Step-by-Step (Version 2.0)

Useful links

Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Other useful blogs

Web Development
SQL Server Security

Syndication - Feeds

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0

Other Links




View Pete Finnigan's profile on LinkedIn

Pete Finnigan

Create Your Badge



Valid XHTML 1.0!