260 likes | 418 Views
<Insert Picture Here>. Oracle Application Express Security Essentials. Security Features for Developers. Input/Output Filtering - Cross-Site Scripting (XSS) Review of Application Express “machinery” Session State Protection – URL Tampering Encrypted Session State
E N D
<Insert Picture Here> Oracle Application ExpressSecurityEssentials
Security Features for Developers • Input/Output Filtering - Cross-Site Scripting (XSS) • Review of Application Express “machinery” • Session State Protection – URL Tampering • Encrypted Session State • Passwords and Session State • Session Expiration
Input/Output Filtering • Purpose – to help developers prevent cross-site scripting attacks • How do values get into session state? • User input as form items submitted with page • Item values passed in f?p URL f?p=100:1:999::::P1_X:100000 • Application actions (processes, computations, …) • :P1_X := ‘foo’; • select sal into :P1_SAL from emp; • apex_util.set_session_state(‘P1_X’, 100000); • set_sal_procedure(:P1_X /* OUT */); • Automatic input filtering applies to f?p inputs only
Input Filtering • Page Item Display Types • Form Items • Checkbox • Date Picker • Hidden • Hidden and Protected • Password • Radiogroup • Select List • Text Field • Text Area • Display as Text (saves state) • ... • Form items are submitted with page (POSTed)
Input Filtering, cont’d. • Page Item Display Types, cont’d • Display-Only Items • Display as Text (does not save state) • For emitting HTML • Display as Text (based on LOV, does not save state) • Display as Text (based on PLSQL, does not save state) • Display as Text (escape special characters, does not save state) • Display-Only items cannot be submitted with page (POST) • Display-Only items can be set through URL (f?p) • This is where automatic input filtering occurs – if item in URL is one of these types, escape sc when saving in session state
Output Filtering • What type of output gets sent to browser? • Characters that are to be interpreted as HTML or script • Characters that are to be displayed as text • When characters are not escaped when they should be, this is the basis of XSS • Report output – source is database • Developers should use report column type Display as Text (escape special characters), not Standard Report Column • Might the data selected from a table contain unexpected script? • Dynamic PL/SQL (htp.p) – varied sources • Developers must have perfect knowledge of safety of inputs when assembling output to browser. Where did the input originate, what transforms has it passed through, who might have touched it? • Referencing session state – Never reference a POSTable item type and emit it to browser unescaped.
Output Filtering, cont’d. • Session State Substitution Syntax • &P1_X. – item is Display-Only type • &P1_Y. – item is Hidden type • HTML Region or other textual context • User &P1_X. is logged in. • Value in session state: <b>Scott</b> • Appearance on page: User Scott is logged in. • User &P1_Y. is logged in. • Value in session state: <b>Scott</b> • Appearance on page: User <Scott> is logged in. • Automatic escaping on output of display-only item types • We know it was not escaped on input, so escape on output • f?p .. P1_HACK:<script>alert(1);</script>
Output Filtering, cont’d. • Developer Responsibility • Be able to prove that inputs are safe when assembling output • Always use htf.escape_sc when referencing form items, e.g., htp.p(htf.escape_sc( v(‘P1_Y’) ) ); -- where P1_Y is hidden type. • When setting session state, be conscious of item types and the risk of allowing unsafe characters to corrupt item values • P1_H is a hidden item normally containing safe characters • Hacker uses f?p url to set P1_X:<script>alert(1);</script> • Page 2 gets display-only item value from corrupted hidden item :P2_D := :P1_H; • Page 2 displays xss alert • HTML region on page 3 reference page 2 display-only item as &P2_D. • Page 3 displays xss alert
Overview of Moving Parts • End user clicks f?p link http://apex.oracle.com/pls/otn/f?p=4500:1000:532922333356168 • f calls wwv_flow.show procedure (page show request) • The HTTP listener invokes modplsql which connects to database using a session obtained from the connection pool. • modplsql builds and executes an anonymous block that calls the f procedure. • f parses its input arguments and passes them to wwv_flow directly or sets package variables in the wwv_flow package or other packages for their access.
Moving parts, cont’d. • wwv_flow.show constructs and emits HTML to browser • End user uses hyperlinks to navigate to other pages (f?p requests) or submits HTML form page – page POST invokes wwv_flow.accept procedure (page accept request) • wwv_flow.accept evaluates branches defined on apex page submitted • When a suitable branch is found, a URL redirect request is issued to initiate the next page show request through f (http:// .. f?p= ..)
Moving parts, cont’d. Other Paths • wwv_flow.show -> wwv_flow.show authentication steps, error pages • wwv_flow.accept -> wwv_flow.show Branch to Page or direct branch To present page validation errors • wwv_flow.show -> wwv_flow.accept Branch to Page Accept • AJAX – xmlhttp request POSTs to wwv_flow.show
Moving parts, cont’d. The essential parameter to f is p (f?p= …) application:page:session:request:debug:cc:inames:ivalues:pf Otherparameters p_trace - Turn on database session tracing c – workspace identifier pg_min_row, pg_max_rows – report pagination Above parameters are passed to wwv_flow.show directly © 2009 Oracle Corporation
Moving parts, cont’d. f?p=100:1:999::NO::P1_ID:32&p_trace=YES&c=DEV wwv_flow.show ( p_flow_id => 100, p_flow_step_id => 1, p_instance => 999, p_request => null, p_debug => 'NO', p_clear_cache => null, p_arg_names => 'P1_ID', p_arg_values => '32', p_printer_friendly => 'NO' p_trace => 'YES', p_company => 'DEV' );
Moving parts, cont’d. Parameters that cannot be passed to wwv_flow.show directly: • success_msg • notification_msg • cs (Session State Protection checksum) • f assigns these parameter values to package variables • cannot be set by end user calling f or show procedures • message content protected against cross-site scripting • security variables remain secure
Moving Parts, cont’d. • wwv_flow.show • Inputs • Application ID • Page ID • Session ID • Workspace ID • Request • Page and Application Item Names • Page and Application Item Values • Ajax Controls, Scalar and Array Values • Checksums and other Security Values • Debug and Trace Flags • wwv_flow.accept • Inputs • Application ID • Page ID • Session ID • Workspace ID • Request • Page Item IDs • Page Item Values (scalar or array) • Dynamically Generated Values (array) • Checksums and other Security Values • Debug and Trace Flags © 2009 Oracle Corporation
Session State Protection • Feature first appeared in 2.0 • Prevent URL tampering • User can change empno value to cause record to be selected for different emp • First level of protection against “mis-navigation” • Authorization must still be used in all the right places, e.g., if authenticated user has no business seeing EMP row for EMPNO 7839, authorization must prevent that. • f?p=100:1:999::NO::P1_EMPNO:7839 • Helps developers build applications that insist on being operated as intended • Don’t let users run pages with arbitrary or experimental input values in f?p URL • Require users to use application’s navigational aids • Discourage use of browser back button • Don’t let users jump into the middle of multi-step page sequences like wizards © 2009 Oracle Corporation
Session State Protection • Method: Generate checksummed URLs to apex pages • f?p=211:2:999:req:NO::P2_ITEM1,P2_ITEM2:abc,def • &cs=350B21557A3A3338EBB124CDE2F3333C8 • When apex engine generates links for page branches, list item targets, parent tab targets, breadcrumbs, button redirect URLs, report column links, calendar links, etc., it appends the &cs argument to f • Checksum is computed over request, clear-cache, and item names/values • If user alters the URL, checksum verification will fail when show is called by f • Checksum is md5 hash of values along with a session-specific salt © 2009 Oracle Corporation
Session State Protection • Pages have SSP attribute Page Access Protection – edit page definition • Unrestricted - when SSP is not used by the page • Arguments Must Have Checksum • If URL contains request, clear-cache, item names/item values then &cs= argument must be in URL for verification • No Arguments Allowed • Navigation to page is allowed but no request, clear-cache, item names/values are allowed, e.g., f?p=211:2:999 • No URL Access • Direct branch only may access page © 2009 Oracle Corporation
Session State Protection • Display-Only items and Application items have a useful security attribute that can be used whether SSP is enabled or not • Edit item security attributes and select Restricted: May not be set from browser - The item may not be altered via the URL. • Use this when you want to restrict the way that the item value can be set to internal processes, computations, etc. • When SSP is enabled for the application, non-restricted items can have one of these Item Protection Level settings: • Unrestricted – no checksum necessary to set item in URL • Checksum Required: Session Level • Checksum Required: User Level • Checksum Required: Application Level © 2009 Oracle Corporation
Session State Protection • f?p=211:2:999:req:NO::P2_ITEM1,P2_ITEM2:abc,def • &cs=350B21557A3A3338EBB124CDE2F3333C8 • Does application 211 have SSP enabled? • Does page 2 require a checksum? • Is the checksum correct (req, cc, names, values) • Begin saving items in session state. For each item: • Does item require a checksum and what type? • Is checksum level set by f in wwv_flow global >= item checksum type required (3, 2, or 1)? • Prevent request to unprotected page 3 from allowing P2_ITEM1 being set: • f?p=211:3:999:req:NO::P2_ITEM1 © 2009 Oracle Corporation
Session State Protection • f?p=211:2:999:req:NO::P2_ITEM1,P2_ITEM2:abc,def • &cs=250B21557A3A3338EBB124CDE2F3333C8 • User likes this link and wants to bookmark it • Your application generated authorized values for this authenticated user • Specify Checksum Required: User Level in Item Protection Level attributes • User will be able to bookmark link and use it in a different session • Specify Checksum Required: Application Level in Item Protection Level attributes to allow bookmarked links to be re-used by any user of this application in the current workspace in a new session • Checksum salt used for bookmark-able links use a salt saved as an application attribute • Home>Application Builder>Application 211>Shared Components>Edit Security Attributes • Allow URLs Created After: 02/27/2009 04:31:51 AM • Button: Expire Bookmarks © 2009 Oracle Corporation
Session State Protection • To dynamically generate links with checksums • apex_util package • prepare_url( • p_url in varchar2, • p_url_charset in varchar2 default null, • p_checksum_type in varchar2 default null) • p_checksum_type • ‘3’ or ‘SESSION’ • ‘2’ or ‘PRIVATE_BOOKMARK’ • ’1’ or PUBLIC_BOOKMARK’ © 2009 Oracle Corporation
Session State Protection • Feature easy to turn SSP on/off for an application • During development, this can be useful • You don’t lose your settings when you disable SSP • Developer can use wizard to set page and item attributes for entire application • Easy to adjust page/item SSP attributes individually • Feature should be enabled by default when application is created – maybe for next release • Important to remember to set both page and item attributes when first setting it up. © 2009 Oracle Corporation
Session Expiration • 3.2 Feature - Session expiration application attributes • Home>Application Builder>Application 211>Shared Components>Edit Security Attributes • Maximum Session Length in Seconds – wall clock time session can exist • Session Timeout URL – for public page to tell user what happened • Maximum Session Idle Time in Seconds - wall clock time session be idle • Idle Timeout – for public page to tell user what happened • API provided to programmatically adjust either limit (apex_util) • procedure set_session_lifetime_seconds( • p_seconds in number, • p_scope in varchar2 default 'SESSION'); • procedure set_session_max_idle_seconds( • p_seconds in number, • p_scope in varchar2 default 'SESSION'); © 2009 Oracle Corporation
Session State Encryption • 3.2 Feature - Session state encryption for page item values • Home>Application Builder>Application 9188>Page 7>Edit Page Item • Store value encrypted in session state Yes/No • When item is saved in session state table, it is encrypted. This protects sensitive data from unauthorized view by those with access to database tables, backups, etc. • When the item is referenced within the application, it is decrypted. • Not possible to pass encrypted value in URL. Developers should avoid passing these values in links. • DBMS_CRYPTO used with a salt generated during the installation of Application Express and saved in SYS schema © 2009 Oracle Corporation
Non-persistent Password Item Type • 3.2 Feature – Non-persistent password item type • Passwords that are entered in a form and processed during that page’s after-submit processing can use the new Password (does not save state) item type • Apex engine simply skips the step that would ordinarily write submitted item values to the session state table. • Page item value can be referenced during after-submit validations, computations,processes, and by compiled PL/SQL called from those components during the lifetime of the HTTP request used to submit the page. After that, there is no record of the item value. • During upgrade to 3.2, all “old” password item types in applications are converted to use the encryption feature. • Apex provides new reports so developers can see at-risk password types in an application, i.e., those that use the “old” password type and also do not use the encryption feature. © 2009 Oracle Corporation