Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Details of a 10g PL/SQL Unwrapper available"] [Next entry: "Instrumentation - a god send for speed freaks - a god send for data thieves"]

New version of Fuzzor available

Slavik the CTO of Sentrigo has today released a new version of his free Fuzzor tool. This is a fuzzer (note the "e" in the tool type, the "o" in Slaviks name for it is intended to represent the big "O" from Oracle) that can be used to test PL/SQL code in an Oracle database whether its wrapped or not.

We are quite limited really in terms of free or commercial tools specifically available to test the PL/SQL code we deploy for security vulnerabilities such as SQL Injection. There are two types of tools that could exist; static analysis tools or dynamic tools. Slavik's Fuzzor is a dynamic tool. That means you install it and run it against the code in the database and you basically "see" if you can make the code error by sending large amounts of pseudo random input to the procedures/functions/packages being tested.

The tool is configurable, FREE on the GPL3 license and very easy to use. We must exercise caution here:

Do not run this tool on a production database or any database you would like to keep. It should be run on a specific test system only as its purpose is to dynamically test code by running it

This is a great tool that can be run to test the code you have written internally in your organisations or to test third party vendor code. It is very easy to use and the reports are easy to understand. This release version of the tool is now available from Sentrigo's website and involves a simple registration process to get it. There has been a couple of major changes since I last talked about the tool in a post titled "A PL/SQL Fuzzer / Fuzzor". Slavik summarises these as:

* Better functionality when working with types (objects, tables, PL/SQL records, etc.)
* A feature to generate automatic Hedgehog security rules from the scanning results. For example, if you find a vulnerability, but you are unable to fix it (ie, you don’t own the code, the code is wrapped or you require lengthy QA cycles) you can now automatically protect the vulnerable code by installing Hedgehog Standard and importing the generated rules.

I’ve also revised the report to be much more concise and readable.

The Fuzzor is available from the download page.