RE: Hiding the names of Web Toolkit procedures in Browser Address boxes
Hi Pete, Thanks much for the links to your papers! The client has not stated as such that they'd like to hide the fact that it is a Web toolkit based site, for the rest of the URL would still be visible: http://the_server/pls/the_dad/ It appears to be only the package name/procedure name, or, when used, just the procedure name, that they'd ultimately like to keep hidden. Thanks again, Melanie -Original Message- Pete Finnigan Sent: Monday, October 13, 2003 5:19 PM To: Multiple recipients of list ORACLE-L Address boxes Hi Melanie you could use synonyms to hide the real names of the procedures if this is a suitable alternative to showing procedure names but it doesn't alter the fact that someone could then just call these synonyms if the goal is SQL injection. You might be interested in the three papers I wrote for security focus on SQL injection in Oracle - see http://www.pet efinnigan.com/orasec.htm for the links - they are near the top of the page. Is the concern to hide the fact that it is a web toolkit based site? kind regards Pete -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Melanie Caffrey INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
Re: Hiding the names of Web Toolkit procedures in Browser Address boxes
Hi Melanie you could use synonyms to hide the real names of the procedures if this is a suitable alternative to showing procedure names but it doesn't alter the fact that someone could then just call these synonyms if the goal is SQL injection. You might be interested in the three papers I wrote for security focus on SQL injection in Oracle - see http://www.pet efinnigan.com/orasec.htm for the links - they are near the top of the page. Is the concern to hide the fact that it is a web toolkit based site? kind regards Pete -- Pete Finnigan email:[EMAIL PROTECTED] Web site: http://www.petefinnigan.com - Oracle security audit specialists Book:Oracle security step-by-step Guide - see http://store.sans.org for details. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Pete Finnigan INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Hiding the names of Web Toolkit procedures in Browser Address boxes
Melanie, I haven't used Web Toolkit. Just assumed, that if it includes db call in address line, than procedure name could be hidden, if application calls synonym created for stored procedure. Igor Neyman, OCP DBA [EMAIL PROTECTED] -Original Message- Melanie Caffrey Sent: Monday, October 13, 2003 1:40 PM To: Multiple recipients of list ORACLE-L Address boxes Igor, Possibly. I've not tried this approach. Have you? Is the synonym, in fact, then displayed as opposed to the procedure name, in your address line? I am temporarily away from the testing site or I would test this out straight away. Thank you for your feedback. Cheers, Melanie -Original Message- Igor Neyman Sent: Monday, October 13, 2003 2:19 PM To: Multiple recipients of list ORACLE-L Address boxes Will your customer allow displaying a synonym instead of the stored procedure name? Igor Neyman, OCP DBA [EMAIL PROTECTED] -Original Message- Melanie Caffrey Sent: Monday, October 13, 2003 1:04 PM To: Multiple recipients of list ORACLE-L boxes Hello Listers, I'm trying to work out a solution for a client that I've not been able to find any substantial documentation for. Anybody familiar with the 9iAS and the PL/SQL Web Toolkit out there? I thought I was, but a client of mine has come up with a very interesting (and, I believe, very reasonable) request. They'd like to ensure that, say, when a user clicks on a hyperlink, for instance, the name of the subsequently called procedure is not displayed in the address line of the browser; in other words, no visibility of the name of the called procedure to the user using the Web app. There is a lot of documentation on aliasing directory paths in Apache, but not procedure names, per se. Particularly since, naturally, the Apache server is open source. The solution I use must be Oracle-specific (I ... er ... believe). I could throw up a JS window that temporarily covers the address window, but that is not really an ideal solution. Has anyone ever tried this before? TIA, Melanie Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Melanie Caffrey INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Igor Neyman INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Melanie Caffrey INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Igor Neyman INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of
RE: Hiding the names of Web Toolkit procedures in Browser Address boxes
Igor, Possibly. I've not tried this approach. Have you? Is the synonym, in fact, then displayed as opposed to the procedure name, in your address line? I am temporarily away from the testing site or I would test this out straight away. Thank you for your feedback. Cheers, Melanie -Original Message- Igor Neyman Sent: Monday, October 13, 2003 2:19 PM To: Multiple recipients of list ORACLE-L Address boxes Will your customer allow displaying a synonym instead of the stored procedure name? Igor Neyman, OCP DBA [EMAIL PROTECTED] -Original Message- Melanie Caffrey Sent: Monday, October 13, 2003 1:04 PM To: Multiple recipients of list ORACLE-L boxes Hello Listers, I'm trying to work out a solution for a client that I've not been able to find any substantial documentation for. Anybody familiar with the 9iAS and the PL/SQL Web Toolkit out there? I thought I was, but a client of mine has come up with a very interesting (and, I believe, very reasonable) request. They'd like to ensure that, say, when a user clicks on a hyperlink, for instance, the name of the subsequently called procedure is not displayed in the address line of the browser; in other words, no visibility of the name of the called procedure to the user using the Web app. There is a lot of documentation on aliasing directory paths in Apache, but not procedure names, per se. Particularly since, naturally, the Apache server is open source. The solution I use must be Oracle-specific (I ... er ... believe). I could throw up a JS window that temporarily covers the address window, but that is not really an ideal solution. Has anyone ever tried this before? TIA, Melanie Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Melanie Caffrey INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Igor Neyman INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Melanie Caffrey INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
RE: Hiding the names of Web Toolkit procedures in Browser Address boxes
Will your customer allow displaying a synonym instead of the stored procedure name? Igor Neyman, OCP DBA [EMAIL PROTECTED] -Original Message- Melanie Caffrey Sent: Monday, October 13, 2003 1:04 PM To: Multiple recipients of list ORACLE-L boxes Hello Listers, I'm trying to work out a solution for a client that I've not been able to find any substantial documentation for. Anybody familiar with the 9iAS and the PL/SQL Web Toolkit out there? I thought I was, but a client of mine has come up with a very interesting (and, I believe, very reasonable) request. They'd like to ensure that, say, when a user clicks on a hyperlink, for instance, the name of the subsequently called procedure is not displayed in the address line of the browser; in other words, no visibility of the name of the called procedure to the user using the Web app. There is a lot of documentation on aliasing directory paths in Apache, but not procedure names, per se. Particularly since, naturally, the Apache server is open source. The solution I use must be Oracle-specific (I ... er ... believe). I could throw up a JS window that temporarily covers the address window, but that is not really an ideal solution. Has anyone ever tried this before? TIA, Melanie Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Melanie Caffrey INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Igor Neyman INET: [EMAIL PROTECTED] Fat City Network Services-- 858-538-5051 http://www.fatcity.com San Diego, California-- Mailing list and web hosting services - To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
