Introducing jdbc-backdoor

Background

To connect to a database, Java applications usually use JDBC framework. Part of the framework is JDBC drivers, that are usually supplied by the DMBS vendor. Applications would often require administrator to download the needed JDBC driver separately due to the licensing restrictions not allowing the software vendor to redistribute the driver with their software.

Inner Workings of JDBC

Don’t expect a ton of details, just wanted to provide enough information so it’s easier to understand how jdbc-backdoor works.

jdbc-backdoor

(Original image: https://www.flickr.com/photos/freejay3/3335151608)

Conclusion

As a conclusion, I think there’s a couple things DBMS vendors can do to make everyone’s life easier:

  • If you are not signing your JDBC driver JARs, you should be!

--

--

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Airman

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.