Gotcha! Implementing Security Layers - Applied SOA Patterns on the Oracle Platform

Database Reference

In-Depth Information

SOA message exists in a certain session context). An attacker will explore the predictabil-

ity and randomness of the session ID in order to repeat this attack with a more accurate

IDs. Needless to say that the sequential IDs and reliance on date or time ranges is not a

really good idea.

This attack can be combined with buffer overflow attacks in order to crash the service

completely. An attacker can assume that after the service restarts, cache will be nullified

as well, so the new session ID (possibly starting with zero) will be accepted for the same

old message. Oracle's distributed cache and clustered environment with many OFM nodes

can prevent this, but an attacker could try to shutdown all nodes at at once, or try to get to

the Node Manager (especially if it's in a single-node mode).

If the distribution of cookies is involved, cookies reverse engineering can be employed in

order to make the reply attack successful.

SQL injection

The attack code for SQL injection is AT04 .

The true and, therefore, bitter irony here is that due to a lot of DB abstraction layers (in-

cluding X/O mapping, persistence layers, and even migration to NoSQL DB types) in a

service's internal architecture, some experts openly proclaimed a couple of years ago the

Death of SQL Injection. As you can see, it's a present-day top risk and all the old tech-

niques we used for old ASP pages are quite powerful for REST and SOAP.

Tip

This is the most common attack, yet it is devastating and difficult to repel (it ranks first in

the top 10 previously mentioned). We will try to focus on it in a greater detail, but if you

want to know more, you have to study the resources particularly dedicated to it.

Even if the replay attack fails the information about the backend DB is gathered, such as

the version, patches, platform, and possibly constraints, DB name and tables name. It is

quite a good start to look for a violation of your Contract Centralization SOA pattern im-

plementation ( http://soapatterns.org/design_patterns/contract_centralization ), look for

open DB connections available at the service location, and carry on with the injections.

Interestingly, SOAP messages can be a good carrier of SQL injection attacks and an over-

enthusiastic Error Handler can provide perfect assistance in it. A simplified SOAP request

will look like the following code:

Search WWH ::

Custom Search

Home