Fuzzing for Oracle database vulnerabilities

Database security vendor Sentrigo has released an open-source fuzz testing tool to help pinpoint security-related coding deficiencies in Oracle databases.

The tool, called FuzzOr, runs on Oracle 8i and is aimed at PL/SQL programmers and DBAs looking to find and eliminate vulnerabilities that may be exploited via SQL injection and buffer overflow attacks — the most common techniques used to launch hacker attacks on databases.

[ SEE: Hacker finds 492,000 unprotected Oracle, SQL database servers ]

From Sentrigo’s announcement:

  • A dynamic scanning tool, FuzzOr enables DBAs and security pros to test PL/SQL code inside Oracle-stored program units. Once vulnerabilities are detected by FuzzOr, a programmer can then repair the PL/SQL code.

Pete Finnigan, who had a look at FuzzOr prior to today’s release, explains the nitty-gritty of how it works:

  • It’s written in PL/SQL, tests PL/SQL packages, functions and procedures and is driven by a set of database tables to hold the configuration and the results. The idea is that you can target a particular package or a complete schema.
  • The nature of a fuzzer is that it sends random input to a particular function or procedure so its running that code hoping to crash it. Therefore do not run this tool on a production database or any database that you do not want to damage.

The tool is available as a free download (registration required).

[Source: zdnet]