Wiley.com
Print this page Share
E-book

Hands-On Oracle Application Express Security: Building Secure Apex Applications

ISBN: 978-1-118-68613-3
150 pages
April 2013
Hands-On Oracle Application Express Security: Building Secure Apex Applications (1118686136) cover image

Description

An example-driven approach to securing Oracle APEX applications

As a Rapid Application Development framework, Oracle Application Express (APEX) allows websites to easily be created based on data within an Oracle database. Using only a web browser, you can develop and deploy professional applications that are both fast and secure. However, as with any website, there is a security risk and threat, and securing APEX applications requires some specific knowledge of the framework. Written by well-known security specialists Recx, this book shows you the correct ways to implement your APEX applications to ensure that they are not vulnerable to attacks. Real-world examples of a variety of security vulnerabilities demonstrate attacks and show the techniques and best practices for making applications secure.

  • Divides coverage into four sections, three of which cover the main classes of threat faced by web applications and the forth covers an APEX-specific protection mechanism
  • Addresses the security issues that can arise, demonstrating secure application design
  • Examines the most common class of vulnerability that allows attackers to invoke actions on behalf of other users and access sensitive data

The lead-by-example approach featured in this critical book teaches you basic "hacker" skills in order to show you how to validate and secure your APEX applications.

See More

Table of Contents

INTRODUCTION ix

CHAPTER 1: ACCESS CONTROL 1

The Problem 1

The Solution 2

Authentication 2

Application Authentication 3

Page Authentication 4

Authorization 5

Application Authorization 5

Page Authorization 6

Button and Process Authorization 7

Process Authorization — On-Demand 10

File Upload 12

Summary 14

CHAPTER 2: CROSS-SITE SCRIPTING 15

The Problem 17

The Solution 18

Examples 18

Understanding Context 19

Reports 21

Report Column Display type 23

Report Column Formatting — HTML Expressions 27

Report Column Formatting — Column Link 31

Report Column — List of Values 33

Direct Output 35

Summary 38

CHAPTER 3: SQL INJECTION 39

The Problem 39

The Solution 40

Validation 40

Examples 40

Dynamic SQL – Execute Immediate 41

Example 42

Dynamic SQL – Cursors 45

Example 45

Dynamic SQL – APEX API 49

Example 50

Function Returning SQL Query 54

Example 55

Substitution Variables 60

Example 60

Summary 67

CHAPTER 4: ITEM PROTECTION 69

The Problem 69

The Solution 70

Validations 71

Value Protected 72

Page Access Protection 74

Session State Protection 75

Prepare_Url Considerations 79

Ajax Considerations 80

Examples 81

Authorization Bypass 81

Form and Report 84

Summary 87

APPENDIX A: USING APEXSEC TO LOCATE SECURITY RISKS 89

ApexSec Online Portal 89

ApexSec Desktop 90

APPENDIX B: UPDATING ITEM PROTECTION 93

APPENDIX C: UNTRUSTED DATA PROCESSING 95

Expected Value 95

Safe Quote 95

Colon List to Comma List 96

Tag Stripping 96

See More

Downloads

Download TitleSizeDownload
ReadMe 322 bytes Click to Download
Oracle Apex Security Application 358.69 KB Click to Download
See More
Back to Top