Cloud

O SpecGold OracleBusIntApps7 clr

 Gcloud

 

   Call us now 

  Manchester Office

  +44 (0) 8450 940 998

 

  

 

John's Blog

This is my blog of various topics, from things that I think might be useful to others, to things that I just find interesting personally. If you have any comments or questions on any of my posts then please do ask - any positive contribution is very much welcomed.

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Login
    Login Login form

Oracle Apex Application Exploits - Part 1

  • Font size: Larger Smaller
  • Subscribe to this entry
  • Print

Oracle APEX Exploitation - Part 1

I decided to write a short series of posts detailing some different mechanisms that a malicious user may use to "attack" an application written in Oracle Application Express (Apex) - note - "Attack" is used loosely here in that it is more of "making the application perform in a way it was not intended". These posts are not intended to be instructional, more they are intended to assist the developer in ensuring their applications are written to a standard which protects against such attacks. It should be noted from the outset that none of the techniques illustrated infer there is a security issue with Apex - Apex is secure for all intents and purposes - any security vulnerabilities are 99%+ of the time due to the developer not implementing appropriate defences. Some of them are quite obvious, however some may not be so. I won't be using any fancy tools - just a browser with developer plugins.
I'll try to explain a problem under a number of headings.

  • The mechanism of the attack
  • The implications
  • How to defend against it

It of course goes without saying that all liability is relinquished - anything you do to your own (or other's) applications is entirely at your own risk.

I am using a sandpit application on apex.oracle.com to demonstrate, which can be accessed here.
So with that said, the first thing I'd like to show is by far the most simple - URL Parameter Modification. I'll then work through more complex and intricate attacks in subsequent posts.

 

URL Parameter Modification

Mechanism of Attack

This type of attack involves a user intentionally modifying values in the Apex URL to give undesired results on a page. So first, we need to understand the format of the Apex URL. That can be found in the Oracle Documentation here, and is as follows:

f?p=App:Page:Session:Request:Debug:ClearCache:itemNames:itemValues:PrinterFriendly

So let's assume we have a simple page which contains some basic data from the emp table, restricted to just those employees reporting to JONES. Upon clicking the employee number, we link off to another page, page 3, which has an item P3_EMPNO that is set with the empno of the employee we clicked. The report on that page shows the salary for the selected employee.

Employee Report> Click through to >Employee Detail

When we click on that link though, look at the URL that is generated:

https://apex.oracle.com/pls/apex/f?p=18281:EMPLOYEE_SALARY:4107183592951::NO:RP:P3_EMPNO:7902

Your session ID will be different to mine of course. However - see that last bit: P3_EMPNO:7902. That is setting the value of P3_EMPNO to 7902 when the page is loaded. Say I know the president's employee number - a simple modification to the URL - f?p=18281:EMPLOYEE_SALARY:4107183592951::NO:RP:P3_EMPNO:7839 - allow's me to see his salary instead!

President Salary

So I can modify the value to anything I wish - and see that employee's details, despite this not being intended functionality.

The Implications

Whilst the first report restricts me to only a specific set of employees, by simply modifying values in the URL, I can see other values on the linked page. I can modify any value on the page using this method, whether it is displayed or not, unless the appropriate controls are in place.

How To Defend Against It

This is generally (there are some exceptions - see later posts) quite easy to protect against. We simply need to enable session state protection at the page level (it is disabled by default).

Session State Protection

There are several options - two should be self explanatory, so I'll only explain the third - "Require Checksum". What this does is prevent modification to values in the URL by calculating a hash value (checksum) on the values. If a value is modified then the checksum is no longer valid, and an error is shown. If we create our hidden item we choose Value Protected = Yes with session state protection enabled, when we click the link, we can see that a different URL is generated:

https://apex.oracle.com/pls/apex/f?p=18281:EMPLOYEE_SALARY:4107183592951::NO:RP:P3_EMPNO:7788&cs=12VoPH1vlC3fwWdMVEZ3aT_0zuiWDzz7pLVQa6I-TvcLHqh8qSp2dVfb1E02_jlgQ7PiNSIHxRyWw6vfsjaRmhw

So now if I try to modify the value of P3_EMPNO, the checksum is invalidated, and Apex will complain:

Session State Protection Violation

The other method of defence, and this should be considered even if using the above, is to use Fine Grained Access Control (FGAC) such as VPD or views. This ensures security at the database level, which is always a preferred solution. In fact I would probably go as far as to say you should always use some form of database level FGAC if you wish to restrict a user to a particular subset of data.

Note that this is only one of a number of URL modification attacks - I will cover some more in future posts. The important point to take from this is that you should always assume that any item in an Apex application could be any value within a session. If that is likely to cause your application to break or behave unpredictably, it's quite possible you have a security issue.

Summary

This was of course a very simple example, yet one that is surprisingly effective. Many people choose not to enable session state protection because it prevents them setting values with JavaScript etc (JavaScript runs client side and can be modified). That should be no excuse though - as you ca see it's very easy to take advantage of such instances.
Check back in a few weeks when I'll be posting some more advanced topics.

Last modified on
Tagged in: APEX
in Techniques Hits: 168 0 Comments
0
My primary area of interest and expertise is Oracle E-Business Suite, particularly Foundation, Human Resources, Payroll, Time and Labor, Warehouse Management and Inventory. Whilst I prefer to focus on functional aspects I do have a keen interest in technical areas too such as SQL tuning/the optimizer, Application Express (APEX), Unix (particularly Linux) and general development.


Comments

  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest
Guest Tuesday, 24 October 2017