Automated Security Testing of Oracle Forms Applications

by Balint Varga-Perke
Sept. 1, 2017 0 comments SANS Institute Encryption & Authentication penetration testing

Oracle Forms, a component of Oracle Fusion Middleware is a technology to efficiently build browser-based enterprise applications. In order to support multiple transport methods Forms has its own binary message format that is meant to provide serialization and additional security for the platform. Unfortunately this proprietary format renders conventional security testing tools unusable. Reverse engineering methods will be employed to reveal the format of the protocol messages and to analyze the cryptographic protections in use. It will be shown that the proprietary encryption and key exchange schemes can be attacked in multiple ways. New tools will be presented which can be used to exploit these weaknesses and allow existing security testing software to be used against Oracle Forms applications. Based on the observations deployment best practices will also be described to help mitigate the discussed problems