- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
About this book
An example-driven approach to securing Oracle APEX applications
As a Rapid Application Development framework, Oracle Application Express (APEX) allows websites to easily be created based on data within an Oracle database. Using only a web browser, you can develop and deploy professional applications that are both fast and secure. However, as with any website, there is a security risk and threat, and securing APEX applications requires some specific knowledge of the framework. Written by well-known security specialists Recx, this book shows you the correct ways to implement your APEX applications to ensure that they are not vulnerable to attacks. Real-world examples of a variety of security vulnerabilities demonstrate attacks and show the techniques and best practices for making applications secure.
- Divides coverage into four sections, three of which cover the main classes of threat faced by web applications and the forth covers an APEX-specific protection mechanism
- Addresses the security issues that can arise, demonstrating secure application design
- Examines the most common class of vulnerability that allows attackers to invoke actions on behalf of other users and access sensitive data
The lead-by-example approach featured in this critical book teaches you basic "hacker" skills in order to show you how to validate and secure your APEX applications.
Tools to learn more effectively
Saving Books
Keyword Search
Annotating Text
Listen to it instead
Information
Chapter 1
Access Control
One of the most basic forms of protection that any web application must utilize is the enforcement of an authentication and authorization policy.
Authentication deals with identifying users to the application; in APEX this is provided by a number of default authentication schemes and can be extended using a custom authentication scheme. Authorization is the process of assessing whether the authenticated user is privileged to access certain data or perform a particular action.
The term access control covers both aspects, and access-control vulnerabilities arise when either authentication can be abused to allow access to an application without valid credentials, or when authorization is incorrectly applied, allowing valid users to access parts of the application for which they should not have privileges.
One of the great things about APEX is the capability to apply authorization schemes to a wide range of components. At a simple level, pages within an APEX application can be protected by your authorization scheme to prevent access to certain sets of users. The applicability of authorization schemes is a lot more granular: reports, buttons, and processes can all also be protected. Users with different privileges can then only view or access specific components on a page. While APEX provides a great access control model, there are some common mistakes that are made where data and functionality do not get protected as you might expect. This chapter will guide you through the various access control features and show how they can be used securely in your applications.
THE PROBLEM
When authentication or authorization is not applied correctly, an unauthenticated user with no access to the application may be able to view and interact with the data it is intended to protect. Valid (but malicious) users of the application may also be able to invoke operations that should be restricted to a limited subset of users.
In our experience performing security assessments of APEX applications, we can say that although APEX provides fantastic flexibility and granularity with authorization, in many cases such protection is not defined or applied correctly. As an APEX application grows and matures, we often see newer pages and components that do not have the protection they require. In one (extreme!) case, we analyzed an application where the Create Admin User page was not protected, and could be accessed by any authenticated user of the application.
THE SOLUTION
By ensuring that the authentication scheme used by your APEX application is robust and conforms to best practice, you can be confident that only legitimate users of the application should have access. Of course, other attacks against an APEX application can allow those malicious attackers to get in even when authentication is defined correctly, but these attacks (such as using Cross-Site Scripting to steal a valid userās credentials, or SQL Injection to access arbitrary data within the database) can be mitigated in other ways and are discussed later in this book.
Authorization should be applied to those areas within an application that need to be protected from subsets of valid authenticated users. Only very simple applications are designed with one generic user level; most have at least some notion of āroleā with base-level users, and administrative functionality for a specific group of users.
Weāre not going to cover designing and documenting an applicationās access-control model, as this is very dependent on the specific requirements of the application. However, this is a crucial step when developing any system. Such requirements should be captured when the system is planned, and then once implemented, the access-control structure can be compared with the initial intentions.
Instead, we present some common access-control mishaps that weāve observed across a number of APEX applications, and discuss how the simple addition of access-control settings can secure the APEX application.
AUTHENTICATION
The first stage is to define a reasonable authentication scheme for the application. In general, any authentication scheme should be capable of identifying users based on some description of who they are (their username) and a secret that nobody except the user should know (such as a password).
Depending on the requirements of the APEX application, you define authentication using one of the built-in methods or via a custom scheme, as shown in Figure 1-1.
FIGURE 1-1: Available authentication schemes
No rules exist for which of these schemes to use or avoid (although choosing Open Door Credentials would require confidence that the data and operations of the application were truly intended for everybody).
When authenticating users based on the traditional credentials of username and password, here is some ābest practiceā guidance that you should consider:
- Account lockout: If a user attempts authentication with an invalid password a number of times, consider rejecting future access for a certain period (the chosen threshold and timeout depends on the sensitivity of the application and the corporate security policy).
- Password complexity: Users invariably choose the simplest password they can, so an application should enforce a level of complexity so attackers cannot guess valid user credentials (again, the chosen policy depends on the application).
- Password reset: Where an application allows users to reset their password if they forget, it should either require some additional confirmation or send a reset link with a unique token to their configured e-mail address. The application should not allow a reset based on some publicly available information (for example, birth date or motherās maiden name), and should never e-mail users their actual password.
- Password storage: The application should not store user credentials in clear text, but instead should store passwords that are cryptographically āhashedā and preferably āsaltedā with a unique value. This limits the damage of the worst-case-scenario of your account information being compromised, because an attacker would still not be able to authenticate as other users without ācrackingā the password hashes. Storing passwords that are encrypted, rather than hashed, is not considered good practice because they can be decrypted should the key be discovered.
With authentication defined and adhering to these guidelines and applied to an APEX application, any non-public page should be protected so that only legitimate users have access. This is the first part of the story of access control; the next stage is applying authorization to provide more granular control over the functionality available to users.
Application Authentication
You can define the authentication scheme in the Security section of an APEX applicationās properties, as shown in Figure 1-2. This scheme is used whenever a page that requires authentication is requested by a user who is not logged in. It is possible to specify No Authentication, effectively making all pages publicly accessible; needless to say, you should not use this without very careful consideration about the data and features within an application.
FIGURE 1-2: Application authentication settings
Page Authentication
You can apply authentication to pages within an APEX application via the Security section of the page properties, as shown in Figure 1-3.
FIGURE 1-3: Setting page authentication
This setting dictates simply whether a user needs to be authenticated to access the page. If a page doesnāt require authentication, it is considered a public page.
Ge...
Table of contents
- Cover
- Contents
- Introduction
- Chapter 1: Access Control
- Chapter 2: Cross-Site Scripting
- Chapter 3: SQL Injection
- Chapter 4: Item Protection
- Appendix A: Using Apexsec to Locate Security Risks
- Appendix B: Updating Item Protection
- Appendix C: Untrusted Data Processing
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 990+ topics, weāve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere ā even offline. Perfect for commutes or when youāre on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Hands-On Oracle Application Express Security by in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.