SQL Injection Attacks and Defense - 2009

UTL_SMTP.HELO(v_connection,'mailhost.victim.com');
UTL_SMTP.MAIL(v_connection,'app@victim.com');
UTL_SMTP.RCPT(v_connection,'admin@victim.com');
UTL_SMTP.DATA(v_connection,'WARNING! SELECT PERFORMED ON HONEYPOT');
UTL_SMTP.QUIT(v_connection);
return '1=1'; -- always show the entire table
end;
/
-- assign the policy function to the honeypot table TBLUSERS
exec dbms_rls.add_policy (
'APP_USER',
'TBLUSERS',
'GET_CUST_ID',
'SECUSER',
'',
'SELECT,INSERT,UPDATE,DELETE');
Additional Secure Development Resources
Code-Level Defenses • Chapter 8 371
A number of resources exist to promote secure applications by providing tools, resources,
training, and knowledge to the developers writing those applications. The following is a list
of the resources the authors of this book feel are the most useful:
■■
■■
■■
The Open Web Application Security Project (OWASP; www.owasp.org) is an open
community promoting Web application security. OWASP has a number of projects
that provide resources, guides, and tools to assist developers in understanding,
finding, and addressing security issues in their code. Notable projects are the
Enterprise Security API (ESAPI), which provides a collection of API methods for
implementing security requirements such as input validation, and the OWASP
Development Guide, which provides a comprehensive guide for secure
development.
The 2009 CWE/SANS Top 25 Most Dangerous Programming Errors ( http://cwe.
mitre.org/top25/index.html) is a collaboration among MITRE, the SANS Institute,
and a number of top security experts. It is intended to serve as an educational and
awareness tool for developers, and provides a lot of detail on the top 25
programming errors as defined by the project—one of which is SQL injection.
The SANS Software Security Institute ( www.sans-ssi.org) provides training and
certification in secure development, as well as a large amount of reference
information and research contributed by SANS certified individuals.