Comments on: Fuzzor – an Oracle fuzzer

By: Oracle CPU Dissected » Musings on Database Security

Oracle CPU Dissected » Musings on Database Security — Tue, 21 Jul 2009 20:03:05 +0000

[...] code fix but do not understand the vulnerability or do not know how to successfully exploit it, a fuzzer may come in handy. Running a good fuzzer on the old version of the fixed function or procedure [...]

By: CG

CG — Mon, 19 Jan 2009 01:55:07 +0000

hey all for documentation! thanks for the script, will give it a go this week.

By: Pete Finnigan

Pete Finnigan — Fri, 16 Jan 2009 13:29:44 +0000

Thanks for the code Slavik, it looks very useful. I have written an entry in my blog highlighgting your code – A PL/SQL Fuzzer / Fuzzor. One comment I have is that the report could be more clear, in that it could summarise a run, and highlight the potential errors only rather than a long list of results where we need to look for val=Y.

hope this helps

Cheers

Pete

By: Slavik

Slavik — Wed, 07 Jan 2009 18:25:19 +0000

@Steven
Hi Steven, thanks for checking the Fuzzor out. Indeed, the commit was missing after the inserts. I thought I added it but I guess I forgot…What Oracle version are you using? Can you send me the test package you are trying to fuzz (slavik at sentrigo.com)?
Regarding your question about datatypes – you should add the relevant ones to fuzz_input or fuzz_input_defaults.
If there is enough interest i.e. at least one more guy commenting I will create a project with documentation, etc. and provide bug fixes.

Mainly, I believe that what is missing is support for Oracle object types.

Thanks,
Slavik

By: Steven Feuerstein

Steven Feuerstein — Wed, 07 Jan 2009 15:29:19 +0000

Do I need to install my own input values into the fuzz_input tables for other datatypes like INTEGER? Are you planning on writing up some doc to show examples and help people use this more effectively?

By: Steven Feuerstein

Steven Feuerstein — Wed, 07 Jan 2009 15:27:50 +0000

You need a commit at the end of create_fuzzed_tables.