• Database protection Techniques : a different prespective

    by
    Anant Shrivastava
    Rate this article
    Published on 06-28-2011 09:27 PM      Number of Views: 1233  
    0 Comments Comments
    Tips for Db Security

    Disclaimer : This post keeps in mind the web frontends and web applications based attacks on DB Servers in mind.
    1. Any Userid used for web application connectivity should be clipped to specific ip addresses that could be localhost in case of same server usage for Db and App server. If two separate servers are used then clip the user id (s) with the application server ip address / hostname. Keep a strick log of who access the id and when.
    2. 1st entry in user /password data base should be a dummy entry with zero privilege and could be used to act as honeypot too.
    3. Default accounts to be removed / blocked.
    4. User Input validation should be a 3 step process.
      1. Web Page / Client Side validation : Jscript.
      2. Server (Application) : OWASP ESAPI or custom functions ocould be used.
      3. DB: use PL/SQL functions to strip input data.
    5. Another good utility to keep in mind is DBA_USERS_WITH_DEFPWD : contains list of users with default passwords, and with 11g all default accounts are locked.
    6. Web application developers should be provided with 3 different user level access to be used inside web application.
      1. Read Access : user with access to select query only.
      2. Write access: User with select update and delete access
      3. App_mod : access to write access plus drop and trunk.
      Developers need to make sure the proper user access is used as and when required.
    7. Note : I know a large number of developers might start crying on this that this will increase their headache but then in long run this could turn out to be a life saver.
    Please post comments and suggestions on my main blog here
    http://blog.anantshri.info/database-...t-prespective/
    This article was originally published in blog: Database protection Techniques : a different prespective started by Anant Shrivastava

  • G4H Twitter

  • Latest Posts

    amolnaik4

    Research Resources for MS SharePoint

    This page contains research notes on Microsoft’s SharePoint MOSS and WSS.

    Link:
    https://www.owasp.org/index.php/Research_for_SharePoint_%28MOSS%29

    amolnaik4 Today, 12:25 PM Go to last post
    b0nd

    Lolz, with the title "About Admin" I thought...

    Lolz, with the title "About Admin" I thought Admins of garage have been exposed ;)

    @hazard74, there is always a proper "way" to ask - you need to discover that. It's not that Pentesters don't have...

    b0nd Today, 09:10 AM Go to last post
    hazard74

    Ok, Anant Shrivastava. Im Sorry :)

    Ok, Anant Shrivastava.

    Im Sorry :)

    hazard74 Yesterday, 06:19 PM Go to last post
    Anant Shrivastava

    not exactly this format but a simmilar kind of a...

    not exactly this format but a simmilar kind of a format i have seen as part of malware. This url format was used to get the commands from the remote server. there was a whole bunch of domain names in...

    Anant Shrivastava Yesterday, 05:30 PM Go to last post
    Immaturedevil

    Hi Neo, Thanks for your comment. I have...

    Hi Neo,

    Thanks for your comment. I have already done that... but no success..as these URLs are not recognized by search engines as such. getting some info if anyone has come across with URLs in...

    Immaturedevil Yesterday, 05:21 PM Go to last post