OWASP AppSec USA 2014

The Oracle Application Framework (OAF) is the base of dozens of Oracle’s web-based business applications (the eBusiness Suite) and is used by many other organizations to develop their own in-house applications. Last year, the speaker published a major vulnerability (CVE-2013-xxxx) in the framework that allowed inspect inspection of run-time data. Unpublished at the time, the vulnerability also allowed unauthenticated attackers to impersonate any user with an active session, including administrators.

Why had such a critical vulnerability in a major application framework gone undiscovered for so long? The OAF has a huge install base in large companies, so it had undoubtedly been tested and scanned many times before. Attack complexity wasn’t a factor; once documented, the exploit was profoundly simple to use. In fact, while the functionality was poorly documented, the vulnerability was actually DESIGNED as part of OAF.

So, again, why did it take so long to discover? The answer can be found by looking at how most application testing is performed. Traditional black-box testing is only capable of discovering vulnerabilities that sit on the surface of the user interface. A relatively simple application, such as a blog or online store, will have limited functionality beyond the obvious user interface. This is radically different in enterprise-scale applications that must support complex integration with other applications and platforms.

Additionally, while superficial penetration testing of the user interface is sufficient to protect an application against casual attackers, a dedicated attacker will certainly dig deeper. This easier with off-the-shelf software (like OAF) that can be downloaded, evaluated, or pirated by attackers.

To fully test a complex application, advanced techniques are required. Static reverse engineering, mock environment creation, and dynamic monitoring are all essential components in any comprehensive application test. Using the Oracle Application Framework as a case study, deep-dive techniques will be explained and demonstrated in this presentation. A live environment will be provided for attendees who want to hack along with the presentation and during the rest of the day.