1 / 26

<Insert Picture Here>

<Insert Picture Here>. Oracle Application Express Security Essentials. Security Features for Developers. Input/Output Filtering - Cross-Site Scripting (XSS) Review of Application Express “machinery” Session State Protection – URL Tampering Encrypted Session State

breck
Download Presentation

<Insert Picture Here>

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. <Insert Picture Here> Oracle Application ExpressSecurityEssentials

  2. Security Features for Developers • Input/Output Filtering - Cross-Site Scripting (XSS) • Review of Application Express “machinery” • Session State Protection – URL Tampering • Encrypted Session State • Passwords and Session State • Session Expiration

  3. Input/Output Filtering • Purpose – to help developers prevent cross-site scripting attacks • How do values get into session state? • User input as form items submitted with page • Item values passed in f?p URL f?p=100:1:999::::P1_X:100000 • Application actions (processes, computations, …) • :P1_X := ‘foo’; • select sal into :P1_SAL from emp; • apex_util.set_session_state(‘P1_X’, 100000); • set_sal_procedure(:P1_X /* OUT */); • Automatic input filtering applies to f?p inputs only

  4. Input Filtering • Page Item Display Types • Form Items • Checkbox • Date Picker • Hidden • Hidden and Protected • Password • Radiogroup • Select List • Text Field • Text Area • Display as Text (saves state) • ... • Form items are submitted with page (POSTed)

  5. Input Filtering, cont’d. • Page Item Display Types, cont’d • Display-Only Items • Display as Text (does not save state) • For emitting HTML • Display as Text (based on LOV, does not save state) • Display as Text (based on PLSQL, does not save state) • Display as Text (escape special characters, does not save state) • Display-Only items cannot be submitted with page (POST) • Display-Only items can be set through URL (f?p) • This is where automatic input filtering occurs – if item in URL is one of these types, escape sc when saving in session state

  6. Output Filtering • What type of output gets sent to browser? • Characters that are to be interpreted as HTML or script • Characters that are to be displayed as text • When characters are not escaped when they should be, this is the basis of XSS • Report output – source is database • Developers should use report column type Display as Text (escape special characters), not Standard Report Column • Might the data selected from a table contain unexpected script? • Dynamic PL/SQL (htp.p) – varied sources • Developers must have perfect knowledge of safety of inputs when assembling output to browser. Where did the input originate, what transforms has it passed through, who might have touched it? • Referencing session state – Never reference a POSTable item type and emit it to browser unescaped.

  7. Output Filtering, cont’d. • Session State Substitution Syntax • &P1_X. – item is Display-Only type • &P1_Y. – item is Hidden type • HTML Region or other textual context • User &P1_X. is logged in. • Value in session state: <b>Scott</b> • Appearance on page: User Scott is logged in. • User &P1_Y. is logged in. • Value in session state: <b>Scott</b> • Appearance on page: User &lt;Scott&gt; is logged in. • Automatic escaping on output of display-only item types • We know it was not escaped on input, so escape on output • f?p .. P1_HACK:<script>alert(1);</script>

  8. Output Filtering, cont’d. • Developer Responsibility • Be able to prove that inputs are safe when assembling output • Always use htf.escape_sc when referencing form items, e.g., htp.p(htf.escape_sc( v(‘P1_Y’) ) ); -- where P1_Y is hidden type. • When setting session state, be conscious of item types and the risk of allowing unsafe characters to corrupt item values • P1_H is a hidden item normally containing safe characters • Hacker uses f?p url to set P1_X:<script>alert(1);</script> • Page 2 gets display-only item value from corrupted hidden item :P2_D := :P1_H; • Page 2 displays xss alert • HTML region on page 3 reference page 2 display-only item as &P2_D. • Page 3 displays xss alert

  9. Overview of Moving Parts • End user clicks f?p link http://apex.oracle.com/pls/otn/f?p=4500:1000:532922333356168 • f calls wwv_flow.show procedure (page show request) • The HTTP listener invokes modplsql which connects to database using a session obtained from the connection pool. • modplsql builds and executes an anonymous block that calls the f procedure. • f parses its input arguments and passes them to wwv_flow directly or sets package variables in the wwv_flow package or other packages for their access.

  10. Moving parts, cont’d. • wwv_flow.show constructs and emits HTML to browser • End user uses hyperlinks to navigate to other pages (f?p requests) or submits HTML form page – page POST invokes wwv_flow.accept procedure (page accept request) • wwv_flow.accept evaluates branches defined on apex page submitted • When a suitable branch is found, a URL redirect request is issued to initiate the next page show request through f (http:// .. f?p= ..)

  11. Moving parts, cont’d. Other Paths • wwv_flow.show -> wwv_flow.show authentication steps, error pages • wwv_flow.accept -> wwv_flow.show Branch to Page or direct branch To present page validation errors • wwv_flow.show -> wwv_flow.accept Branch to Page Accept • AJAX – xmlhttp request POSTs to wwv_flow.show

  12. Moving parts, cont’d. The essential parameter to f is p (f?p= …) application:page:session:request:debug:cc:inames:ivalues:pf Otherparameters p_trace - Turn on database session tracing c – workspace identifier pg_min_row, pg_max_rows – report pagination Above parameters are passed to wwv_flow.show directly © 2009 Oracle Corporation

  13. Moving parts, cont’d. f?p=100:1:999::NO::P1_ID:32&p_trace=YES&c=DEV wwv_flow.show ( p_flow_id => 100, p_flow_step_id => 1, p_instance => 999, p_request => null, p_debug => 'NO', p_clear_cache => null, p_arg_names => 'P1_ID', p_arg_values => '32', p_printer_friendly => 'NO' p_trace => 'YES', p_company => 'DEV' );

  14. Moving parts, cont’d. Parameters that cannot be passed to wwv_flow.show directly: • success_msg • notification_msg • cs (Session State Protection checksum) • f assigns these parameter values to package variables • cannot be set by end user calling f or show procedures • message content protected against cross-site scripting • security variables remain secure

  15. Moving Parts, cont’d. • wwv_flow.show • Inputs • Application ID • Page ID • Session ID • Workspace ID • Request • Page and Application Item Names • Page and Application Item Values • Ajax Controls, Scalar and Array Values • Checksums and other Security Values • Debug and Trace Flags • wwv_flow.accept • Inputs • Application ID • Page ID • Session ID • Workspace ID • Request • Page Item IDs • Page Item Values (scalar or array) • Dynamically Generated Values (array) • Checksums and other Security Values • Debug and Trace Flags © 2009 Oracle Corporation

  16. Session State Protection • Feature first appeared in 2.0 • Prevent URL tampering • User can change empno value to cause record to be selected for different emp • First level of protection against “mis-navigation” • Authorization must still be used in all the right places, e.g., if authenticated user has no business seeing EMP row for EMPNO 7839, authorization must prevent that. • f?p=100:1:999::NO::P1_EMPNO:7839 • Helps developers build applications that insist on being operated as intended • Don’t let users run pages with arbitrary or experimental input values in f?p URL • Require users to use application’s navigational aids • Discourage use of browser back button • Don’t let users jump into the middle of multi-step page sequences like wizards © 2009 Oracle Corporation

  17. Session State Protection • Method: Generate checksummed URLs to apex pages • f?p=211:2:999:req:NO::P2_ITEM1,P2_ITEM2:abc,def • &cs=350B21557A3A3338EBB124CDE2F3333C8 • When apex engine generates links for page branches, list item targets, parent tab targets, breadcrumbs, button redirect URLs, report column links, calendar links, etc., it appends the &cs argument to f • Checksum is computed over request, clear-cache, and item names/values • If user alters the URL, checksum verification will fail when show is called by f • Checksum is md5 hash of values along with a session-specific salt © 2009 Oracle Corporation

  18. Session State Protection • Pages have SSP attribute Page Access Protection – edit page definition • Unrestricted - when SSP is not used by the page • Arguments Must Have Checksum • If URL contains request, clear-cache, item names/item values then &cs= argument must be in URL for verification • No Arguments Allowed • Navigation to page is allowed but no request, clear-cache, item names/values are allowed, e.g., f?p=211:2:999 • No URL Access • Direct branch only may access page © 2009 Oracle Corporation

  19. Session State Protection • Display-Only items and Application items have a useful security attribute that can be used whether SSP is enabled or not • Edit item security attributes and select Restricted: May not be set from browser - The item may not be altered via the URL. • Use this when you want to restrict the way that the item value can be set to internal processes, computations, etc. • When SSP is enabled for the application, non-restricted items can have one of these Item Protection Level settings: • Unrestricted – no checksum necessary to set item in URL • Checksum Required: Session Level • Checksum Required: User Level • Checksum Required: Application Level © 2009 Oracle Corporation

  20. Session State Protection • f?p=211:2:999:req:NO::P2_ITEM1,P2_ITEM2:abc,def • &cs=350B21557A3A3338EBB124CDE2F3333C8 • Does application 211 have SSP enabled? • Does page 2 require a checksum? • Is the checksum correct (req, cc, names, values) • Begin saving items in session state. For each item: • Does item require a checksum and what type? • Is checksum level set by f in wwv_flow global >= item checksum type required (3, 2, or 1)? • Prevent request to unprotected page 3 from allowing P2_ITEM1 being set: • f?p=211:3:999:req:NO::P2_ITEM1 © 2009 Oracle Corporation

  21. Session State Protection • f?p=211:2:999:req:NO::P2_ITEM1,P2_ITEM2:abc,def • &cs=250B21557A3A3338EBB124CDE2F3333C8 • User likes this link and wants to bookmark it • Your application generated authorized values for this authenticated user • Specify Checksum Required: User Level in Item Protection Level attributes • User will be able to bookmark link and use it in a different session • Specify Checksum Required: Application Level in Item Protection Level attributes to allow bookmarked links to be re-used by any user of this application in the current workspace in a new session • Checksum salt used for bookmark-able links use a salt saved as an application attribute • Home>Application Builder>Application 211>Shared Components>Edit Security Attributes • Allow URLs Created After: 02/27/2009 04:31:51 AM • Button: Expire Bookmarks © 2009 Oracle Corporation

  22. Session State Protection • To dynamically generate links with checksums • apex_util package • prepare_url( • p_url in varchar2, • p_url_charset in varchar2 default null, • p_checksum_type in varchar2 default null) • p_checksum_type • ‘3’ or ‘SESSION’ • ‘2’ or ‘PRIVATE_BOOKMARK’ • ’1’ or PUBLIC_BOOKMARK’ © 2009 Oracle Corporation

  23. Session State Protection • Feature easy to turn SSP on/off for an application • During development, this can be useful • You don’t lose your settings when you disable SSP • Developer can use wizard to set page and item attributes for entire application • Easy to adjust page/item SSP attributes individually • Feature should be enabled by default when application is created – maybe for next release • Important to remember to set both page and item attributes when first setting it up. © 2009 Oracle Corporation

  24. Session Expiration • 3.2 Feature - Session expiration application attributes • Home>Application Builder>Application 211>Shared Components>Edit Security Attributes • Maximum Session Length in Seconds – wall clock time session can exist • Session Timeout URL – for public page to tell user what happened • Maximum Session Idle Time in Seconds - wall clock time session be idle • Idle Timeout – for public page to tell user what happened • API provided to programmatically adjust either limit (apex_util) • procedure set_session_lifetime_seconds( • p_seconds in number, • p_scope in varchar2 default 'SESSION'); • procedure set_session_max_idle_seconds( • p_seconds in number, • p_scope in varchar2 default 'SESSION'); © 2009 Oracle Corporation

  25. Session State Encryption • 3.2 Feature - Session state encryption for page item values • Home>Application Builder>Application 9188>Page 7>Edit Page Item • Store value encrypted in session state Yes/No • When item is saved in session state table, it is encrypted. This protects sensitive data from unauthorized view by those with access to database tables, backups, etc. • When the item is referenced within the application, it is decrypted. • Not possible to pass encrypted value in URL. Developers should avoid passing these values in links. • DBMS_CRYPTO used with a salt generated during the installation of Application Express and saved in SYS schema © 2009 Oracle Corporation

  26. Non-persistent Password Item Type • 3.2 Feature – Non-persistent password item type • Passwords that are entered in a form and processed during that page’s after-submit processing can use the new Password (does not save state) item type • Apex engine simply skips the step that would ordinarily write submitted item values to the session state table. • Page item value can be referenced during after-submit validations, computations,processes, and by compiled PL/SQL called from those components during the lifetime of the HTTP request used to submit the page. After that, there is no record of the item value. • During upgrade to 3.2, all “old” password item types in applications are converted to use the encryption feature. • Apex provides new reports so developers can see at-risk password types in an application, i.e., those that use the “old” password type and also do not use the encryption feature. © 2009 Oracle Corporation

More Related