Secure your APEX application

Size: px

Start display at page:

Download "Secure your APEX application"

Marvin Barnett
5 years ago
Views:

1 Secure your APEX application APEX World, Rotterdam, 22 & 23 March, 2018 Aljaž Abakus Plus, d.o.o.

2 Me IT Solutions Architect at Abakus plus, d.o.o Oracle ACE Associate SIOUG - Vice President APEX Alpe Adria co-organizor ( apex.world member of the month (march, 2016) APEX Text Messages

3 3

4 Agenda SQL Injection Cross Site Scripting - XSS Session State Protection Tools

5 SQL Injection

6 What is SQL Injection? SQL Injection vulnerabilities arise when the end-users (attackers) can modify the syntax of a database query.

7 7

8 Impact of SQL Injection See any data (also in other tables) Do DML (insert, update, delete) operations Run PL/SQL

9 SQL Injection in APEX

10 Most common threats Use of substitution strings (&ITEM.) Use of Dynamic SQL: wrong concatenations Report with source SQL Query (PL/SQL function body returning SQL Query) Use of Execute Immediate in PL/SQL

11 Where? Any component where SQL or PL/SQL is used! o Computations o Processes o Reports o Charts o Item Source o Display Conditions o List of Values o Lists o Authorization schemes o

12 Substitution Strings select * from emp where ename = '&P1_SEARCH.'

13 Substitution Strings KING' or 1=1--

14 Substitution Strings select * from emp where ename = :P1_SEARCH

15 Bind variables & Dynamic SQL l_sql := 'SELECT * FROM emp WHERE empno =' :P1_EMPNO; RETURN l_sql;

16 Bind variables & Dynamic SQL l_sql := 'SELECT * FROM emp WHERE empno = :P1_EMPNO'; RETURN l_sql;

17 Bind variables & Dynamic SQL l_sql := 'SELECT * FROM emp WHERE empno = to_number(:p1_empno)'; RETURN l_sql;

18 Bind variables & Dynamic SQL l_id := to_number(:p1_empno); l_sql := 'SELECT * FROM emp WHERE empno =' l_id; RETURN l_sql;

19 Bind variables & Dynamic SQL l_like := '''' '%' :P1_SEARCH '%' ''''; l_sql := 'SELECT * FROM emp WHERE ename like ' l_like ; RETURN l_sql;

20 Bind variables & Dynamic SQL l_like := '''' '%' :P1_SEARCH '%' ''''; l_sql := 'SELECT * FROM emp WHERE ename like ' DBMS_ASSERT.ENQUOTE_LITERAL(l_like); RETURN l_sql;

21 ENQUOTE_LITERAL 21

22 v() function & Dynamic SQL l_sql := 'SELECT * FROM emp WHERE empno =' v('p1_empno'); RETURN l_sql;

23 v() function & Dynamic SQL l_sql := 'SELECT * FROM emp WHERE empno = v(''p1_empno'')'; RETURN l_sql;

24 Dynamic SQL l_column := :P1_COLUMN; l_table := :P1_TABLE; l_sql := 'SELECT ' l_column ' FROM ' l_table; RETURN l_sql;

25 Dynamic SQL l_column := DBMS_ASSERT.SIMPLE_SQL_NAME(:P1_COLUMN); l_table := DBMS_ASSERT.SIMPLE_SQL_NAME(:P1_TABLE); l_sql := 'SELECT ' l_column ' FROM ' l_table; RETURN l_sql;

26 SIMPLE_SQL_NAME The first character of the name is alphabetic. The name only contains alphanumeric characters or the "_", "$", "#" Quoted names must be enclosed by double quotes and may contain any characters, including quotes provided they are represented by two quotes in a row (""). The function ignores leading and trailing white spaces are ignored The length of the input string is not validated. The "ORA-44003: invalid SQL name" exception is raised when the input string does not conform. 26

27 SIMPLE_SQL_NAME 27

28 28

29 Cross Site Scripting

30 Cross Site Scripting - XSS Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side (javascript) scripts into web pages viewed by other users.

31 31

32 Many Types of XSS Stored XSS o JavaScript in database Reflected XSS o Embedded JavaScript in URL request Stored XSS in uploaded files o HTML, Text file with.jpg extension, etc.

33 JavaScript JavaScript has access to some of the user's sensitive information, such as cookies. JavaScript can send HTTP requests with arbitrary content to arbitrary destinations by using XMLHttpRequest and other mechanisms. JavaScript can make arbitrary modifications to the HTML of the current page by using DOM manipulation methods. These facts combined can cause very serious security breaches 33

34 XSS - protection

35 XSS - protection

36 XSS protection When saving data o Restricted Characters o All characters can be saved. o Whitelist for a-z, 0-9 and space o Blacklist HTML command characters (<>") o Blacklist &<>"/;,* =% and -- (includes pl/sql comment) o Blacklist &<>"/;,* =% or -- and new line When displaying data o Escape special characters : YES (default) o Manually : apex_escape

37 Escaping <script>alert('test');</script> <script>alert("test");</script>

38 XSS - not escaped

39 XSS - escaped

40 XSS and reports If you need to render HTML fragments instead of plain column values (for example, for highlighting), you should use the report column's HTML Expression attribute. In the HTML Expression attribute, you can enter static HTML and embed escaped column values with the #COLUMN# notation. 40

41 XSS and reports The extended column notation gives you control regarding how Oracle Application Express should escape a column value: o #COLUMN!HTML# o #COLUMN!ATTR# o #COLUMN!JS# o #COLUMN!RAW# o #COLUMN!STRIPHTML# <a href="javascript:if (confirm('do you really want to delete #ENAME!JS#?')) dosubmit('delete- #EMPNO#');">Delete</a> 41

42 PL/SQL Dynamic Region declare l_my_content varchar2(32000); begin select my_content into l_my_content from my_table where id = :P1_ID; htp.p( apex_escape.html(l_my_content) ); end;

43 apex_escape.html This function escapes characters which can change the context in an html environment. By default, the escaping mode is "Extended APEX_ESCAPE.SET_HTML_ESCAPING_MODE If the mode is "Basic", the function behaves like sys.htf.escape_sc

44 apex_escape.html Original Escaped & & " " < < > > ' ' / /

45 apex_escape.html_whitelist The HTML_WHITELIST function performs HTML escape on all characters in the input text except the specified whitelist tags. This function can be useful if the input text contains simple html markup but a developer wants to ensure that an attacker cannot use malicious tags for cross-site scripting.

46 apex_escape.html_whitelist c_html_whitelist_tags: <h1>,</h1>,<h2>,</h2>,<h3>,</h3>,<h4>,</h4>,<p>,</ p>,<b>,</b>,<strong>,</strong>,<i>,</i>,<em>,</em>, <ul>,</ul>,<ol>,</ol>,<li>,</li>,<dl>,</dl>,<dt>,</dt>,<d d>,</dd>,<pre>,</pre>,<code>,</code>,<br />,<br/>,<br>,<br>,<hr/>

47 Rich Text Editor loadjava -resolve -genmissing -user u/p Antisamy.jar o o o o o o Antisamy/policies/antisamy-anythinggoes xml Antisamy/policies/antisamy-ebay xml Antisamy/policies/antisamy-myspace xml Antisamy/policies/antisamy-slashdot xml Antisamy/policies/antisamy-tinymce xml Antisamy/policies/default.xml

48 Rich Text Editor

49 Application items Referencing items in HTML regions Page items always escaped You have escape application items manually

50 Page items

51 Application items

52 APEX and XSS APEX is doing job protecting against XSS attacks ( but it depends what developer is doing ) (Display) items are protected by default Reports (columns) are protected by default URL is escaped &PAGE_ITEM. is always protected Escape application items manually

53 Session State Protection

54 Session state protection Enabling Session State Protection can prevent hackers from tampering with URLs within your application URL tampering can adversely affect program logic, session state contents, and information privacy. When enabled, Session State Protection uses the Page Access Protection attributes and the Session State Protection item attributes with checksums positioned in f?p= URLs to prevent URL tampering and unauthorized access to and alteration of session state

55 Session state protection You can enable session state protection from either the Edit Security Attributes page or the Session State Protection page Enabling Session State Protection is a two-step process. o First, you enable the feature. o Second, you set page and item security attributes

56 Page Access Protection Unrestricted Arguments Must Have Checksum No Arguments Supported o URL can not contain Request, Clear Cache, or Name/Value Pair arguments No URL Access o page may be the target of a Branch to Page branch type, as this does not perform a URL redirect

57 Application and Page items Unrestricted Restricted - May not be set from browser - o o o Display Only (Save State=No) Text Field (Disabled, does not save state) Stop and Start Grid Layout (Displays label only) Checksum Required: Application Level Checksum Required: User Level Checksum Required: Session Level

58 Tools

59 Tools Built-in Advisor ( Application -> Utilities -> Advisor ) ApexSec o APEX-SERT o

60 There is more to it Dimitri Gielis & Aljaz Mali, SIOUG ORDS settings Workspace and Application Settings Authorization and Authentication VPD, RAS, Shadow Schema SQL Injection Cross Site Scripting Session State Protection SSL and Reverse Proxy 60

61 Secure your APEX application APEX World, Rotterdam, 22 & 23 March, 2018 Aljaž Abakus Plus, d.o.o.

WELCOME. APEX Security Primer. About Enkitec. About the Presenter. ! Oracle Platinum Partner! Established in 2004

WELCOME. APEX Security Primer. About Enkitec. About the Presenter. ! Oracle Platinum Partner! Established in 2004 WELCOME APEX Security Primer Scott Spendolini Executive Director!1!2 About the Presenter About Enkitec! Scott Spendolini! Oracle Platinum Partner! scott.spendolini@enkitec.com! Established in 2004! @sspendol!