Hacking the Oracle Application Framework: A case study in deep-dive pen testing

Presented at AppSec USA 2014, Sept. 19, 2014, 2 p.m. (45 minutes).

The Oracle Application Framework (OAF) is the base of dozens of Oracle's web-based business applications (the eBusiness Suite) and is used by many other organizations to develop their own in-house applications. Last year, the speaker published a major vulnerability (CVE-2013-xxxx) in the framework that allowed inspect inspection of run-time data. Unpublished at the time, the vulnerability also allowed unauthenticated attackers to impersonate any user with an active session, including administrators.

Why had such a critical vulnerability in a major application framework gone undiscovered for so long? The OAF has a huge install base in large companies, so it had undoubtedly been tested and scanned many times before. Attack complexity wasn't a factor; once documented, the exploit was profoundly simple to use. In fact, while the functionality was poorly documented, the vulnerability was actually DESIGNED as part of OAF.

So, again, why did it take so long to discover? The answer can be found by looking at how most application testing is performed. Traditional black-box testing is only capable of discovering vulnerabilities that sit on the surface of the user interface. A relatively simple application, such as a blog or online store, will have limited functionality beyond the obvious user interface. This is radically different in enterprise-scale applications that must support complex integration with other applications and platforms.

Additionally, while superficial penetration testing of the user interface is sufficient to protect an application against casual attackers, a dedicated attacker will certainly dig deeper. This easier with off-the-shelf software (like OAF) that can be downloaded, evaluated, or pirated by attackers.

To fully test a complex application, advanced techniques are required. Static reverse engineering, mock environment creation, and dynamic monitoring are all essential components in any comprehensive application test. Using the Oracle Application Framework as a case study, deep-dive techniques will be explained and demonstrated in this presentation. A live environment will be provided for attendees who want to hack along with the presentation and during the rest of the day.


Presenters:

  • David Byrne - Principal Consultant - SpiderLabs
    David Byrne has worked in information security for 14 years. Currently, he is a Managing Consultant in SpiderLabs, Trustwave's advanced security team focused on application security, penetration testing, and incident response. David's primary responsibility is setting SpiderLabs' global standards for delivery of application security services. Before Trustwave, David was the Security Architect at Dish Network, one of the world's largest satellite television companies. In 2006, he started the Denver chapter of OWASP. David regularly presents at major security events like DEFCON, Black Hat, and OWASP conferences.

Links:

Similar Presentations: