This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP AppSec DC 2012/New and Improved Hacking Oracle from Web

Jump to: navigation, search


Registration Now OPEN! | Hotel | Schedule | Convention Center |

The Presentation

There are a number of attacks against Oracle database and in almost every other CPU there is a shiny new exploit which allows a malicious database user to gain DBA privileges on the back-end database. Exploiting things over web apps via a SQL Injection vulnerability, is not quite the same due to restrictions posed by the database. In 2010, I showed a few attack vectors which can be used, depending upon what privileges the database user has, to carry out advanced exploitation. Examples of advanced exploitation include privilege escalation attacks and OS code execution against back-end database. This talk will show new attack vectors which will allow an attacker to carry out any old/new exploit against oracle database via web apps. Unlike previous attack vectors these don't require any special privileges and exist from Oracle 9i to 11g R2.

The Speakers

Sumit Siddharth

Sumit Siddharth (sid) works as a Head of Penetration Testing for 7safe in the UK. He specializes in Web application and database security and has over 7 years of experience with IT security. Sid has been a speaker at many international conferences such as Black Hat, Defcon, Owasp, Troopers, Sec-T etc. He has been an author of several white-papers, tools and security advisories. Sid holds the prestigious CREST certification and also runs the popular IT security blog He is also a contributing author to the book SQL Injection:Attacks and Defense (2nd Edition)

Gold Sponsors

Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors


Small Business

AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png


link= Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg