An example-driven approach to securing Oracle APEX
applications
As a Rapid Application Development framework, Oracle Application
Express (APEX) allows websites to easily be created based on data
within an Oracle database. Using only a web browser, you can
develop and deploy professional applications that are both fast and
secure. However, as with any website, there is a security risk and
threat, and securing APEX applications requires some specific
knowledge of the framework. Written by well-known security
specialists Recx, this book shows you the correct ways to implement
your APEX applications to ensure that they are not vulnerable to
attacks. Real-world examples of a variety of security
vulnerabilities demonstrate attacks and show the techniques and
best practices for making applications secure.
* Divides coverage into four sections, three of which cover the
main classes of threat faced by web applications and the forth
covers an APEX-specific protection mechanism
* Addresses the security issues that can arise, demonstrating
secure application design
* Examines the most common class of vulnerability that allows
attackers to invoke actions on behalf of other users and access
sensitive data
The lead-by-example approach featured in this critical book
teaches you basic "hacker" skills in order to show you how to
validate and secure your APEX applications.
Autorentext
Tim Austwick is the IT Security Director of Recx, an information security company and the developers of ApexSec, a security analysis tool for Oracle Apex applications: http://www.recx.co.uk/ Tim performed security reviews for 50+ Oracle Application Express web applications. The knowledge and experience gained from this process led to the development of the Recx ApexSec static-analysis engine that automates the security assessment process for Apex applications. Oracle also gave public credit to Recx ApexSec for helping to secure Apex 4.1.
Zusammenfassung
An example-driven approach to securing Oracle APEX applications
As a Rapid Application Development framework, Oracle Application Express (APEX) allows websites to easily be created based on data within an Oracle database. Using only a web browser, you can develop and deploy professional applications that are both fast and secure. However, as with any website, there is a security risk and threat, and securing APEX applications requires some specific knowledge of the framework. Written by well-known security specialists Recx, this book shows you the correct ways to implement your APEX applications to ensure that they are not vulnerable to attacks. Real-world examples of a variety of security vulnerabilities demonstrate attacks and show the techniques and best practices for making applications secure.
- Divides coverage into four sections, three of which cover the main classes of threat faced by web applications and the forth covers an APEX-specific protection mechanism
- Addresses the security issues that can arise, demonstrating secure application design
- Examines the most common class of vulnerability that allows attackers to invoke actions on behalf of other users and access sensitive data
The lead-by-example approach featured in this critical book teaches you basic "hacker" skills in order to show you how to validate and secure your APEX applications.
Inhalt
INTRODUCTION ix
CHAPTER 1: ACCESS CONTROL 1
The Problem 1
The Solution 2
Authentication 2
Application Authentication 3
Page Authentication 4
Authorization 5
Application Authorization 5
Page Authorization 6
Button and Process Authorization 7
Process Authorization On-Demand 10
File Upload 12
Summary 14
CHAPTER 2: CROSS-SITE SCRIPTING 15
The Problem 17
The Solution 18
Examples 18
Understanding Context 19
Reports 21
Report Column Display type 23
Report Column Formatting HTML Expressions 27
Report Column Formatting Column Link 31
Report Column List of Values 33
Direct Output 35
Summary 38
CHAPTER 3: SQL INJECTION 39
The Problem 39
The Solution 40
Validation 40
Examples 40
Dynamic SQL Execute Immediate 41
Example 42
Dynamic SQL Cursors 45
Example 45
Dynamic SQL APEX API 49
Example 50
Function Returning SQL Query 54
Example 55
Substitution Variables 60
Example 60
Summary 67
CHAPTER 4: ITEM PROTECTION 69
The Problem 69
The Solution 70
Validations 71
Value Protected 72
Page Access Protection 74
Session State Protection 75
Prepare_Url Considerations 79
Ajax Considerations 80
Examples 81
Authorization Bypass 81
Form and Report 84
Summary 87
APPENDIX A: USING APEXSEC TO LOCATE SECURITY RISKS 89
ApexSec Online Portal 89
ApexSec Desktop 90
APPENDIX B: UPDATING ITEM PROTECTION 93
APPENDIX C: UNTRUSTED DATA PROCESSING 95
Expected Value 95
Safe Quote 95
Colon List to Comma List 96
Tag Stripping 96