#Oracle #Infosec Common Mistakes: Granting DBA to application schema

I’m keep seeing this common mistake; The application schema was granted DBA privileges. Here is the problem, when a sql injection bug is found, then all DBA commands are available to the attacker.

The truth is, granting DBA to an application schema is the lazy way to get your application the privileges it requires to operate. Heck, I’m still seeing COTS applications that in the install guide say GRANT DBA TO . COTS applications require DBA privileges are poorly designed.

To fix this. Audit that app user to see what are it’s actually doing.

select obj_name,
action_name,
count(*)
from dba_audit_trail
where username = ‘&USER’
group by obj_name,
action_name;

Use the results of the query to derive what privileges are actually needed.