Slavik has a nice post on his blog (picked up from my Oracle blogs aggregator
) titled "Blind SQL Injection in Oracle
". This is a nice article that discusses SQL Injection types with nice examples for Oracle and also talks a bit about blind SQL Injection and the use of timeouts. Slavik asks if using timeouts with blind SQL Injection is a valid technique; well yes it is. Chema Alonso talked about this a couple of years ago in a paper he wrote on the Microsoft Website using SQL Server as the example. I mentioned this paper in my SQL Server Security blog
(which unfortunately I have not had much time to update recently). Chema also links to the previous work by Chris Anley, David Litchfield (on Oracle as well) and others in the same area.
I also came across a paper for the CIPFA CATS Information Technology Seminar written and presented by Lindsay Hamilton titled "How Secure Are Your Personal Details?
". This is quite a nice paper (beware its MS PPT not pdf) covering Data auditing and monitoring from a high level and also security assessment.