To get the free app, enter your mobile phone number.
The Oracle Hacker's Handbook: Hacking and Defending Oracle Paperback – January 30, 2007
|New from||Used from|
Windows 10 For Dummies Video Training
Get up to speed with Windows 10 with this video training course from For Dummies. Learn more.
Frequently Bought Together
Customers Who Bought This Item Also Bought
From the Back Cover
While Oracle continues to improve the security features of its product, it still has a long way to go. David Litchfield has devoted years to relentlessly searching out the flaws in this ubiquitous database system and creating defenses against them. Now he offers you his complete arsenal to assess and defend your own Oracle systems.
Like The Shellcoder's Handbook and The Database Hacker's Handbook, this in-depth guide explores every technique and tool used by black hat hackers to invade and compromise Oracle. It shows you how to find the weak spots and defend them. Without that knowledge, you have little chance of keeping your databases truly secure.
- Discover how to deal with the security flaws revealed in the Oracle RDBMS
- Explore some never-before-published forays into Oracle security holes and learn to defend them from attack
- Learn why independent security assessments are not necessarily a guarantee of safety
- See how Oracle 10g Release 2 has improved its security features and where the flaws remain
- Take advantage of extensive and valuable code downloads on the companion Web site at www.wiley.com/go/ohh
Visit our Web site at www.wiley.com/go/ohh
About the Author
Top Customer Reviews
In a nutshell the new attacks include how to gain the version number remotely, brute force usernames, gain passwords/hashes from the OS, attack the listener, escalate privilege internally through PLSQL Packages and Triggers both directly and indirectly as well as defeating VPD. These attacks are illustrated both directly and through application server. By using these techniques and by accessing the Oracle files directly through the OS an attacker would be able to gain DBA privileges on most secured servers. Additionally using the code examples included an attacker could gain password hashes and then the actual DBA clear text password from the network using the password decryption code included. This will work even with complex quoted passwords.
This is the most effective public analysis of security vulnerabilities in Oracle products so far.
OHH is a technical book and not really an introduction to the subject though it could be picked up reasonably quickly as the text avoids unnecessary jargon.
The book could be enhanced by including more on defense strategies, such as, how to prepare and respond to an attack where the attacker has gained the clear text DBA password.
OHH has a free download site for pre-written proof of concept code which will helps avoid unnecessary typing. From a general readability point of view the book is concise and to the point. The sections are logically laid out and the examples have worked when tested. I would recommend those involved in Oracle security to read this book as soon as they can.
I bought this book immediately when it came out in 2007 (yeah I'm super late on the review) but frankly put it down because it was confusing and definitely not suited for anyone that didn't already have a basic exposure to Oracle. I picked it up again in late 2008 after doing the background research on Oracle security and administration. Armed with a better understanding of Oracle in general I attacked the book again, focusing on SQL Injection in the Oracle PL/SQL packages with the goal of going from locating an open TNS listener to getting a shell on the system.
The author is well known in the security industry and one of only a handful of Oracle Security "experts", so the skill level was definitely there.
Breakdown of the Chapters:
Chapter 1 Overview of the Oracle RDBMS.
Chapter 2 The Oracle Network Architecture.
Chapter 3 Attacking the TNS Listener and Dispatchers.
Chapter 4 Attacking the Authentication Process.
Chapter 5 Oracle and PL/SQL.
Chapter 6 Triggers.
Chapter 7 Indirect Privilege Escalation.
Chapter 8 Defeating Virtual Private Databases.
Chapter 9 Attacking Oracle PL/SQL Web Applications.
Chapter 10 Running Operating System Commands.
Chapter 11 Accessing the File System.
Chapter 12 Accessing the Network.
Appendix A Default Usernames and Passwords.Read more ›
Hope this helps
Most Recent Customer Reviews
I was disappointed that there was nothing new in this book that wasn't readily on the internet already. Read morePublished on April 14, 2014 by D Greene
The book contains interesting Oracle security topics, but it is old and not all the topics are still valid, I would suggest to buy the book just if you don't have much idea of... Read morePublished on December 6, 2009 by Oriana Yuridia Weber
I found this book to be an excellent resource, and use it quite often at work.Published on April 3, 2008 by Jonathan Hawes