SANS Institute accepted my GWAPT Gold Paper about testing Oracle Forms applications, the paper is now published in the Reading Room.
Forms is a typical example of proprietary technology that back in the day might have looked a good idea from business perspective but years later causes serious headaches on both the operational and security sides:
- Forms uses naively implemented crypto with (effectively) 32-bit RC4
- The key exchange is trivial to attack to achieve full key recovery
- Bit-flipping is possible since no integrity checking is implemented
- Database password set at server side is sent to all clients (you read that correctly)
And in case you’re wondering: applications based on Oracle Forms are still in use, thanks to vendor lock-in…
The full Gold Paper can be downloaded from the website of SANS Institute:
Automated Security Testing of Oracle Forms Applications
The accompanying code is available on GitHub.