Fuzzing for Oracle database vulnerabilities
Database security vendor Sentrigo has released an open-source fuzz testing tool to help pinpoint security-related coding deficiencies in Oracle databases.
The tool, called FuzzOr, runs on Oracle 8i and is aimed at PL/SQL programmers and DBAs looking to find and eliminate vulnerabilities that may be exploited via SQL injection and buffer overflow attacks — the most common techniques used to launch hacker attacks on databases.
[ SEE: Hacker finds 492,000 unprotected Oracle, SQL database servers ]
From Sentrigo’s announcement:
- A dynamic scanning tool, FuzzOr enables DBAs and security pros to test PL/SQL code inside Oracle-stored program units. Once vulnerabilities are detected by FuzzOr, a programmer can then repair the PL/SQL code.
Pete Finnigan, who had a look at FuzzOr prior to today’s release, explains the nitty-gritty of how it works:
- It’s written in PL/SQL, tests PL/SQL packages, functions and procedures and is driven by a set of database tables to hold the configuration and the results. The idea is that you can target a particular package or a complete schema.
- The nature of a fuzzer is that it sends random input to a particular function or procedure so its running that code hoping to crash it. Therefore do not run this tool on a production database or any database that you do not want to damage.
The tool is available as a free download (registration required).
Post a Comment