Lateral SQL Injection
SQL injection is a type of attack that can exploit vulnerabilities in an application's software to insert malicious SQL code into a database. This code can then be used to manipulate data or gain access to sensitive information.
Lateral SQL injection is a variation of this attack that specifically targets functions that do not normally take varchar input, such as those that accept dates. By changing NLS variables, an attacker can inject SQL into these functions, potentially allowing them to manipulate data or gain access to sensitive information.
This type of attack can be difficult to detect and prevent, so it is important for developers to be aware of the potential risks and take steps to protect their applications.
Oracleforensics has released his latest paper which investigates how by changing NLS variables an attacker can inject SQL into functions that do not normally take varchar input e.g. those that accept dates. Also functions that do not take input but that do rely on NLS variables are similarly affected. Lateral thinking.
Here is the paper http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf and congrats to NGS on winning the SC Security Company of the Year. http://www.scmagazine.com/uk/awards/ and even more congrats to Betfair for winning Queen’s award again. http://www.realbusiness.co.uk/news/international-business/5240271/queens-awards-the-big-winners.thtml