Skip to main content

Hands-On Oracle Application Express Security: Building Secure Apex Applications

Hands-On Oracle Application Express Security: Building Secure Apex Applications

Recx

ISBN: 978-1-118-68613-3

Apr 2013

150 pages

Select type: E-Book

$16.99

Description

An example-driven approach to securing Oracle APEX applications

As a Rapid Application Development framework, Oracle Application Express (APEX) allows websites to easily be created based on data within an Oracle database. Using only a web browser, you can develop and deploy professional applications that are both fast and secure. However, as with any website, there is a security risk and threat, and securing APEX applications requires some specific knowledge of the framework. Written by well-known security specialists Recx, this book shows you the correct ways to implement your APEX applications to ensure that they are not vulnerable to attacks. Real-world examples of a variety of security vulnerabilities demonstrate attacks and show the techniques and best practices for making applications secure.

  • Divides coverage into four sections, three of which cover the main classes of threat faced by web applications and the forth covers an APEX-specific protection mechanism
  • Addresses the security issues that can arise, demonstrating secure application design
  • Examines the most common class of vulnerability that allows attackers to invoke actions on behalf of other users and access sensitive data

The lead-by-example approach featured in this critical book teaches you basic "hacker" skills in order to show you how to validate and secure your APEX applications.

INTRODUCTION ix

CHAPTER 1: ACCESS CONTROL 1

The Problem 1

The Solution 2

Authentication 2

Application Authentication 3

Page Authentication 4

Authorization 5

Application Authorization 5

Page Authorization 6

Button and Process Authorization 7

Process Authorization — On-Demand 10

File Upload 12

Summary 14

CHAPTER 2: CROSS-SITE SCRIPTING 15

The Problem 17

The Solution 18

Examples 18

Understanding Context 19

Reports 21

Report Column Display type 23

Report Column Formatting — HTML Expressions 27

Report Column Formatting — Column Link 31

Report Column — List of Values 33

Direct Output 35

Summary 38

CHAPTER 3: SQL INJECTION 39

The Problem 39

The Solution 40

Validation 40

Examples 40

Dynamic SQL – Execute Immediate 41

Example 42

Dynamic SQL – Cursors 45

Example 45

Dynamic SQL – APEX API 49

Example 50

Function Returning SQL Query 54

Example 55

Substitution Variables 60

Example 60

Summary 67

CHAPTER 4: ITEM PROTECTION 69

The Problem 69

The Solution 70

Validations 71

Value Protected 72

Page Access Protection 74

Session State Protection 75

Prepare_Url Considerations 79

Ajax Considerations 80

Examples 81

Authorization Bypass 81

Form and Report 84

Summary 87

APPENDIX A: USING APEXSEC TO LOCATE SECURITY RISKS 89

ApexSec Online Portal 89

ApexSec Desktop 90

APPENDIX B: UPDATING ITEM PROTECTION 93

APPENDIX C: UNTRUSTED DATA PROCESSING 95

Expected Value 95

Safe Quote 95

Colon List to Comma List 96

Tag Stripping 96

ReadMe
Download
Oracle Apex Security Application
Download