The more you tell me, the more ways I can find I can find to attack your system. All I need is one little sql injection bug and trust me, it is most likely there, you just don’t know it yet.
execute process_row(’EMPLOYEES where 1=2 union select owner, name, text from all_source order by owner, name, line –’);
Problem #1 for you, Opportunity #1 for bad guys. Guess what, all of your source code just leaked out from your database.
Problem #2 for you, Opportunity #2 for bad guys. Not putting your your code into packages. If you put your pl/sql into a procedure or a function, I can extract your code from all_source, learn about your system and tailor my attack.
What do you need to do? Put your code into packages. If the code is in a package, the only thing I can get is the package specification.
Problem #2 for you, Opportunity #2 for bad guys. Comments in your package specification. Hey, I’ve been <humor> smacking junior developers with a boat paddle </humor> for years about not commenting their code. The good part is they eventually get it and put in comments. The bad part is comments are being put into the package specification. Some comments are quite verbose and <humor> I really like that</humor>. You are telling the bad guys everything they need to know to exploit your system.
What you need to do? Move all of your comments to the top of the package body and use inline comments in the package body. Again, when I extract your source code, if it’s in a package then I can only get the package specification.
Here is a sample of one of my packages specifications. You are not going to derive too much information from this except maybe what calls it.
CREATE OR REPLACE PACKAGE TARGETAPP.REPORTTARGET AUTHID current_user ACCESSIBLE BY (TARGETAPP.PROCESSTARGET) AS -- constant declarations sVersion CONSTANT VARCHAR2(10) := '20161026.1'; FUNCTION MAIN(arg1 IN VARCHAR2, arg2 IN NUMBER) RETURN NUMBER; FUNCTION WHAT_VERSION RETURN VARCHAR2; END;
When I put on my penetration testing hat, all of your source code and comments make my job much easier. I learn exactly how your system is designed and coded and that lets me find all kinds of ways to exploit your system. <humor>Please don’t make my pen testing work too easy, customers will start thinking they are paying me too much money.</humor> And please for goodness sake, make the bad guys life harder; because if you do, they will likely move on to an easier target.