I came across
an Oracle eBusiness video demonstrating a
full step-by-step reproduction of an attack leading to a remote take over of the
administrative interfaces of the Oracle eBusiness system. The vulnerabilities were discovered during a penetration test performed by Hacktics' experts.
See the notes and interesting video here.
In my opinion, besides the vulnerabilities, there is a more interesting lesson that we can learn from the researchers comments. The team discovered that different releases of Oracle eBusiness Suite implemented some code-based security solutions to mitigate a certain XSS vulnerability. But Oracle have failed to prevent EVERY possible instance of this XSS vulnerability. I am sure that the developers felt that they were solving the root cause, but in fact they only made it worse since the naïve attacker indeed will not be able to use simple XSS script, but the more sophisticated attacker will still know how to launch a successful XSS attack.
My assumption here is that someone at the product development team at Oracle discovered the XSS vulnerability (might be using a scanner or manual code review) and “fixed” the problem using “secure” programming, missing some of the other attack vectors, that SecureSphere could easily prevent.
See below from the advisory:
It is
important to note that our testing has indicated that different versions have
different mitigation levels of this vulnerability, requiring, in some
situations, utilizing XSS evasion techniques to overcome certain input
validation and sanitation mechanisms:
- For earlier versions, injecting a
simple <SCRIPT> suffices:
<SCRIPT>alert(�XSS')<SCRIPT>
- Some versions limit the permitted
characters, and thus require the tester to inset Java-script without
utilizing tags, by injecting a script into the text box as follows:
");alert('XSS');//
- Later versions appear to also
enforce server-side length restrictions on the vulnerable parameters. As a
result, multiple separate injections are required to achieve script
execution, such as:
");/*
*/alert/*
*/(/*
*/�XSS'/*
*/);//