Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Hiding the names of Web Toolkit procedures in Browser Address boxes

RE: Hiding the names of Web Toolkit procedures in Browser Address boxes

From: Melanie Caffrey <mcaffrey_at_proximo.com>
Date: Mon, 13 Oct 2003 13:44:25 -0800
Message-ID: <F001.005D2F5B.20031013134425@fatcity.com> 





Hi Pete,



Thanks much for the links to your papers!



The client has not stated as such that they'd like to hide the fact that
it is a Web toolkit based site, for the rest of the URL would still be
visible:


http://the_server/pls/the_dad/<this_is_the_part_they_would_like_to_hide>



It appears to be only the package name/procedure name, or, when used,
just the procedure name, that they'd ultimately like to keep hidden.



Thanks again,


Melanie




-----Original Message-----


Pete Finnigan


Sent: Monday, October 13, 2003 5:19 PM


To: Multiple recipients of list ORACLE-L
Address boxes



Hi Melanie



you could use synonyms to hide the real names of the procedures if this
is a suitable alternative to showing procedure names but it doesn't
alter the fact that someone could then just call these synonyms if the
goal is SQL injection. You might be interested in the three papers I
wrote for security focus on SQL injection in Oracle - see http://www.pet
efinnigan.com/orasec.htm for the links - they are near the top of the
page. Is the concern to hide the fact that it is a web toolkit based
site? 



kind regards



Pete


-- 



Pete Finnigan


email:pete_at_petefinnigan.com


Web site: http://www.petefinnigan.com - Oracle security audit
specialists


Book:Oracle security step-by-step Guide - see http://store.sans.org for
details.



-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.net


-- 



Author: Pete Finnigan


  INET: oracle_list_at_peterfinnigan.demon.co.uk


Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).



-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.net


-- 



Author: Melanie Caffrey


  INET: mcaffrey_at_proximo.com


Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Mon Oct 13 2003 - 16:44:25 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US