<Insert Picture Here>

Oracle Application Express

Security Essentials
 Security Features for Developers

• Input/Output Filtering - Cross-Site Scripting (XSS)

• Review of Application Express “machinery”
• Session State Protection – URL Tampering
• Encrypted Session State
• Passwords and Session State
• Session Expiration
 Input/Output Filtering
• Purpose – to help developers prevent cross-site
scripting attacks
• How do values get into session state?
• User input as form items submitted with page
• Item values passed in f?p URL
f?p=100:1:999::::P1_X:100000
• Application actions (processes, computations, …)
• :P1_X := ‘foo’;
• select sal into :P1_SAL from emp;
• apex_util.set_session_state(‘P1_X’, 100000);
• set_sal_procedure(:P1_X /* OUT */);
• Automatic input filtering applies to f?p inputs only
 Input Filtering
• Page Item Display Types
• Form Items
• Checkbox
• Date Picker
• Hidden
• Hidden and Protected
• Password
• Radiogroup
• Select List
• Text Field
• Text Area
• Display as Text (saves state)
• ...
• Form items are submitted with page (POSTed)
 Input Filtering, cont’d.
• Page Item Display Types, cont’d
• Display-Only Items
• Display as Text (does not save state)
• For emitting HTML
• Display as Text (based on LOV, does not save state)
• Display as Text (based on PLSQL, does not save state)
• Display as Text (escape special characters, does not save
state)
• Display-Only items cannot be submitted with page (POST)
• Display-Only items can be set through URL (f?p)
• This is where automatic input filtering occurs – if item in
URL is one of these types, escape sc when saving in
session state
 Output Filtering
• What type of output gets sent to browser?
• Characters that are to be interpreted as HTML or script
• Characters that are to be displayed as text
• When characters are not escaped when they should be, this is the
basis of XSS
• Report output – source is database
• Developers should use report column type Display as Text (escape
special characters), not Standard Report Column
• Might the data selected from a table contain unexpected script?
• Dynamic PL/SQL (htp.p) – varied sources
• Developers must have perfect knowledge of safety of inputs when
assembling output to browser. Where did the input originate, what
transforms has it passed through, who might have touched it?
• Referencing session state – Never reference a POSTable item type
and emit it to browser unescaped.
 Output Filtering, cont’d.
• Session State Substitution Syntax
• &P1_X. – item is Display-Only type
• &P1_Y. – item is Hidden type
• HTML Region or other textual context
• User &P1_X. is logged in.
• Value in session state: <b>Scott</b>
• Appearance on page: User Scott is logged in.
• User &P1_Y. is logged in.
• Value in session state: <b>Scott</b>
• Appearance on page: User &lt;Scott&gt; is logged in.
• Automatic escaping on output of display-only item types
• We know it was not escaped on input, so escape on output
• f?p .. P1_HACK:<script>alert(1);</script>
 Output Filtering, cont’d.
• Developer Responsibility
• Be able to prove that inputs are safe when assembling output
• Always use htf.escape_sc when referencing form items, e.g.,
htp.p(htf.escape_sc( v(‘P1_Y’) ) ); -- where P1_Y is hidden
type.
• When setting session state, be conscious of item types and
the risk of allowing unsafe characters to corrupt item values
• P1_H is a hidden item normally containing safe characters
• Hacker uses f?p url to set P1_X:<script>alert(1);</script>
• Page 2 gets display-only item value from corrupted hidden
item :P2_D := :P1_H;
• Page 2 displays xss alert
• HTML region on page 3 reference page 2 display-only item
as &P2_D.
• Page 3 displays xss alert
 Overview of Moving Parts
• End user clicks f?p link
http://apex.oracle.com/pls/otn/f?p=4500:1000:532922333356168

• f calls wwv_flow.show procedure (page show request)

• The HTTP listener invokes modplsql which connects to
database using a session obtained from the connection
pool.
• modplsql builds and executes an anonymous block that
calls the f procedure.
• f parses its input arguments and passes them to
wwv_flow directly or sets package variables in the
wwv_flow package or other packages for their access.
 Moving parts, cont’d.
• wwv_flow.show constructs and emits HTML to
browser
• End user uses hyperlinks to navigate to other pages
(f?p requests) or submits HTML form page – page
POST invokes wwv_flow.accept procedure (page
accept request)
• wwv_flow.accept evaluates branches defined on apex
page submitted
• When a suitable branch is found, a URL redirect
request is issued to initiate the next page show
request through f (http:// .. f?p= ..)
 Moving parts, cont’d.

Other Paths
• wwv_flow.show -> wwv_flow.show
authentication steps, error pages
• wwv_flow.accept -> wwv_flow.show
Branch to Page or direct branch
To present page validation errors
• wwv_flow.show -> wwv_flow.accept
Branch to Page Accept
• AJAX – xmlhttp request POSTs to wwv_flow.show
 Moving parts, cont’d.

• The essential parameter to f is p (f?p= …)

application:page:session:request:debug:cc:inames:ivalues:pf

• Other parameters
• p_trace - Turn on database session tracing
• c – workspace identifier
• pg_min_row, pg_max_rows – report pagination

• Above parameters are passed to wwv_flow.show

directly

© 2009 Oracle Corporation

Moving parts, cont’d.
f?p=100:1:999::NO::P1_ID:32&p_trace=YES&c=DEV
wwv_flow.show (
p_flow_id => 100,
p_flow_step_id => 1,
p_instance => 999,
p_request => null,
p_debug => 'NO',
p_clear_cache => null,
p_arg_names => 'P1_ID',
p_arg_values => '32',
p_printer_friendly => 'NO'
p_trace => 'YES',
p_company => 'DEV'
);
 Moving parts, cont’d.

Parameters that cannot be passed to wwv_flow.show directly:

• success_msg
• notification_msg
• cs (Session State Protection checksum)

• f assigns these parameter values to package variables

• cannot be set by end user calling f or show procedures

• message content protected against cross-site scripting

• security variables remain secure

 Moving Parts, cont’d.

wwv_flow.show wwv_flow.accept
Inputs Inputs
Application ID Application ID
Page ID Page ID
Session ID Session ID
Workspace ID Workspace ID
Request Request
Page and Application Item Names Page Item IDs
Page and Application Item Values Page Item Values (scalar or array)
Ajax Controls, Scalar and Array Values Dynamically Generated Values (array)
Checksums and other Security Values Checksums and other Security Values
Debug and Trace Flags Debug and Trace Flags

© 2009 Oracle Corporation

 Session State Protection
• Feature first appeared in 2.0
• Prevent URL tampering
• User can change empno value to cause record to be selected for different
emp
• First level of protection against “mis-navigation”
• Authorization must still be used in all the right places, e.g., if authenticated
user has no business seeing EMP row for EMPNO 7839, authorization must
prevent that.
• f?p=100:1:999::NO::P1_EMPNO:7839
• Helps developers build applications that insist on being operated as intended
• Don’t let users run pages with arbitrary or experimental input values in f?p
URL
• Require users to use application’s navigational aids
• Discourage use of browser back button
• Don’t let users jump into the middle of multi-step page sequences like
wizards

© 2009 Oracle Corporation

 Session State Protection
• Method: Generate checksummed URLs to apex pages
• f?p=211:2:999:req:NO::P2_ITEM1,P2_ITEM2:abc,def
&cs=350B21557A3A3338EBB124CDE2F3333C8
• When apex engine generates links for page branches, list item targets, parent
tab targets, breadcrumbs, button redirect URLs, report column links, calendar
links, etc., it appends the &cs argument to f
• Checksum is computed over request, clear-cache, and item names/values
• If user alters the URL, checksum verification will fail when show is called by f
• Checksum is md5 hash of values along with a session-specific salt

© 2009 Oracle Corporation

 Session State Protection
• Pages have SSP attribute Page Access Protection – edit page definition
• Unrestricted - when SSP is not used by the page
• Arguments Must Have Checksum
• If URL contains request, clear-cache, item names/item values then
&cs= argument must be in URL for verification
• No Arguments Allowed
• Navigation to page is allowed but no request, clear-cache, item
names/values are allowed, e.g., f?p=211:2:999
• No URL Access
• Direct branch only may access page

© 2009 Oracle Corporation

 Session State Protection
• Display-Only items and Application items have a useful security attribute that
can be used whether SSP is enabled or not
• Edit item security attributes and select Restricted: May not be set from browser -
The item may not be altered via the URL.
• Use this when you want to restrict the way that the item value can be set to
internal processes, computations, etc.

• When SSP is enabled for the application, non-restricted items can have one of
these Item Protection Level settings:
• Unrestricted – no checksum necessary to set item in URL
• Checksum Required: Session Level
• Checksum Required: User Level
• Checksum Required: Application Level

© 2009 Oracle Corporation

 Session State Protection
f?p=211:2:999:req:NO::P2_ITEM1,P2_ITEM2:abc,def
&cs=350B21557A3A3338EBB124CDE2F3333C8

• Does application 211 have SSP enabled?

• Does page 2 require a checksum?
• Is the checksum correct (req, cc, names, values)
• Begin saving items in session state. For each item:
• Does item require a checksum and what type?
• Is checksum level set by f in wwv_flow global >= item checksum type
required (3, 2, or 1)?
• Prevent request to unprotected page 3 from allowing P2_ITEM1 being set:
f?p=211:3:999:req:NO::P2_ITEM1

© 2009 Oracle Corporation

 Session State Protection
f?p=211:2:999:req:NO::P2_ITEM1,P2_ITEM2:abc,def
&cs=250B21557A3A3338EBB124CDE2F3333C8

• User likes this link and wants to bookmark it

• Your application generated authorized values for this authenticated user
• Specify Checksum Required: User Level in Item Protection Level attributes
• User will be able to bookmark link and use it in a different session
• Specify Checksum Required: Application Level in Item Protection Level
attributes to allow bookmarked links to be re-used by any user of this application
in the current workspace in a new session
• Checksum salt used for bookmark-able links use a salt saved as an application
attribute
• Home>Application Builder>Application 211>Shared Components>Edit Security Attributes
Allow URLs Created After: 02/27/2009 04:31:51 AM
Button: Expire Bookmarks

© 2009 Oracle Corporation

 Session State Protection
• To dynamically generate links with checksums
apex_util package
prepare_url(
p_url in varchar2,
p_url_charset in varchar2 default null,
p_checksum_type in varchar2 default null)

• p_checksum_type
• ‘3’ or ‘SESSION’
• ‘2’ or ‘PRIVATE_BOOKMARK’
• ’1’ or PUBLIC_BOOKMARK’

© 2009 Oracle Corporation

 Session State Protection
• Feature easy to turn SSP on/off for an application
• During development, this can be useful
• You don’t lose your settings when you disable SSP
• Developer can use wizard to set page and item attributes for entire
application
• Easy to adjust page/item SSP attributes individually
• Feature should be enabled by default when application is created – maybe
for next release
• Important to remember to set both page and item attributes when first setting
it up.

© 2009 Oracle Corporation

 Session Expiration
3.2 Feature - Session expiration application attributes

Home>Application Builder>Application 211>Shared Components>Edit Security Attributes

• Maximum Session Length in Seconds – wall clock time session can exist
• Session Timeout URL – for public page to tell user what happened
• Maximum Session Idle Time in Seconds - wall clock time session be idle
• Idle Timeout – for public page to tell user what happened
• API provided to programmatically adjust either limit (apex_util)
procedure set_session_lifetime_seconds(
p_seconds in number,
p_scope in varchar2 default 'SESSION');
procedure set_session_max_idle_seconds(
p_seconds in number,
p_scope in varchar2 default 'SESSION');

© 2009 Oracle Corporation

 Session State Encryption
3.2 Feature - Session state encryption for page item values

Home>Application Builder>Application 9188>Page 7>Edit Page Item

Store value encrypted in session state Yes/No
• When item is saved in session state table, it is encrypted. This protects sensitive data
from unauthorized view by those with access to database tables, backups, etc.
• When the item is referenced within the application, it is decrypted.
• Not possible to pass encrypted value in URL. Developers should avoid passing these
values in links.
• DBMS_CRYPTO used with a salt generated during the installation of Application
Express and saved in SYS schema

© 2009 Oracle Corporation

 Non-persistent Password Item Type
3.2 Feature – Non-persistent password item type

• Passwords that are entered in a form and processed during that page’s after-submit
processing can use the new Password (does not save state) item type
• Apex engine simply skips the step that would ordinarily write submitted item values to
the session state table.
• Page item value can be referenced during after-submit validations,
computations,processes, and by compiled PL/SQL called from those components
during the lifetime of the HTTP request used to submit the page. After that, there is no
record of the item value.
• During upgrade to 3.2, all “old” password item types in applications are converted to
use the encryption feature.
• Apex provides new reports so developers can see at-risk password types in an
application, i.e., those that use the “old” password type and also do not use the
encryption feature.

© 2009 Oracle Corporation