#Oracle #Infosec Common Mistakes: Granting DBA to application schema

I’m keep seeing this common mistake; The application schema was granted DBA privileges. Here is the problem, when a sql injection bug is found, then all DBA commands are available to the attacker.

The truth is, granting DBA to an application schema is the lazy way to get your application the privileges it requires to operate. Heck, I’m still seeing COTS applications that in the install guide say GRANT DBA TO . COTS applications require DBA privileges are poorly designed.

To fix this. Audit that app user to see what are it’s actually doing.

select obj_name,
action_name,
count(*)
from dba_audit_trail
where username = ‘&USER’
group by obj_name,
action_name;

Use the results of the query to derive what privileges are actually needed.

This entry was posted in infosec, Security and tagged , by rlockard. Bookmark the permalink.

About rlockard

Robert Lockard is a professional Oracle Designer, Developer and DBA working in the world of financial intelligence. In 1987 his boss called him into his office and told him that he is now their Oracle Wizard then handed him a stack of Oracle tapes and told him to load it on the VAX. Sense then, Robert has worked exclusively as an Oracle database designer, developer and Database Administrator. Robert enjoys flying vintage aircraft, racing sailboats, photography, and technical diving. Robert owns and fly’s the “Spirit of Baltimore Hon” a restored 1948 Ryan Navion and lives in Glen Burnie Maryland on Marley Creek

Welcome to oraclewizard