Cloud

O SpecGold OracleBusIntApps7 clr

 Gcloud

 

   Call us now 

  Manchester Office

  +44 (0) 8450 940 998

 

  

 

Welcome to the Beyond Blog

As you'd expect from the winners of the Specialized Partner of the Year: Business Analytics at the Oracle UKI Specialized Partner Awards 2014, Beyond work with leading edge BI Applications primarily within the UK Public Sector. We intend to share some of our ideas and discoveries via our blog and hopefully enrich the wider discussion surrounding Oracle Business Intelligence and driving improved insight for customers

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Login
    Login Login form
Subscribe to this list via RSS Blog posts tagged in APEX

Oracle APEX Exploitation - Part 2

Following on from my previous post in a series on common exploits in Oracle Application Express, in this post I am going to continue the theme of URL modification, however this time to allow us to execute procedures where we shouldn't be able to. This issue arises from the fact that we can use the construct BRANCH_TO_PAGE_ACCEPT in an Apex URL to call submit processing. This is explained further below.

URL Parameter Modification

Mechanism of Attack

Take a page which shows a report to all users, however users with a higher level of access are able to click a button which deletes the content of the table. Obviously a very silly example, but it's enough to show us the principles. The live demo of this can be found here as always.

Our page consists of a report with a simple query:

select ename from emp;

A delete button, DELETE which has an authorisation scheme defined against it to only display when the user is an administrator.

Apex Designer

Finally a procedure "Delete Rows" which empties the table. This is set to be conditional based upon the DELETE button being pressed.

begin
  delete emp;
end;

Now to protect my demo application I have modified this slightly to:

begin
  delete emp;
  raise_application_error(-20000,'I would have deleted all your data really!');
end;
Last modified on Continue reading
Tagged in: APEX
in Technical 41 0
0

Oracle APEX Exploitation - Part 1

I decided to write a short series of posts detailing some different mechanisms that a malicious user may use to "attack" an application written in Oracle Application Express (Apex) - note - "Attack" is used loosely here in that it is more of "making the application perform in a way it was not intended". These posts are not intended to be instructional, more they are intended to assist the developer in ensuring their applications are written to a standard which protects against such attacks. It should be noted from the outset that none of the techniques illustrated infer there is a security issue with Apex - Apex is secure for all intents and purposes - any security vulnerabilities are 99%+ of the time due to the developer not implementing appropriate defences. Some of them are quite obvious, however some may not be so. I won't be using any fancy tools - just a browser with developer plugins.
I'll try to explain a problem under a number of headings.

  • The mechanism of the attack
  • The implications
  • How to defend against it

It of course goes without saying that all liability is relinquished - anything you do to your own (or other's) applications is entirely at your own risk.

I am using a sandpit application on apex.oracle.com to demonstrate, which can be accessed here.
So with that said, the first thing I'd like to show is by far the most simple - URL Parameter Modification. I'll then work through more complex and intricate attacks in subsequent posts.

Last modified on Continue reading
Tagged in: APEX
in Techniques 168 0
0

A while back I posted instructions on how to create an organization/position chart in Oracle APEX using the Google Charts API. That was a little manual and not massively simple, so I have encapsulated that process into an APEX plugin which is released Apex.World. The GitHub project page can be found here which is the master repository for this plugin.

Please feedback any issues through the issue tracker and feel free to offer any suggestions (or clone the repo and contribute).

 

Thanks!

Last modified on Continue reading
Tagged in: APEX APEX 5.1
in Technical 324 0
0

Whilst working on a client project recently I created a page in APEX with a number of different regions, selectable via a Region Selector. The way this page was to be used, the user may not always want to click on every single region each time they use the page. Unfortunately the default behaviour with APEX is that all regions are rendered on the page at load time, so if some queries take a short while to run then your user is waiting for data to return that they aren't even going to use.
What I really wanted was for the code in the region to only actually run when the user chose the region from the selector. I even posted on the OTN Forums to ask if anyone had done similar in the past. Ultimately though it seemed nobody has, so I thought I'd give it a try.

To explain the concept first, this idea works by creating a page item which is checked in a query predicate. i.e.

Select *
  From my_table
 Where :p1_show_data = 'Y';

We take advantage of the fact that the optimizer can deduce that if :p1_show_data does not equal 'Y' then the query is going to return all rows.
By exploiting that, we can devise a solution where our region queries check the value of an item which is empty when originally rendered, however is populated when the region is refreshed - and we trigger a refresh of the corresponding region when the user selects a tab.

Here is how I achieved this (note - demo done in APEX 5.1.2, however should be backwards compatible across at least APEX 5.x).

First we create a hidden page item that restricts the queries. I created one called P1_SHOW_REGION. Then we modify our queries to take advantage of this.

select * from table(delay_table(5))  where :P1_SHOW_REGION is not null

My delay_table is simply a pipelined function that takes a value and waits that number of seconds to return values - it lets me test the report regions by simulating a long-running query. I'll post the code in the comments.
Next I created a before header process which resets the session state for the item - ensuring it is blank when the page loads.

Blank Item

Then I created a computation firing after regions which sets the value to "Y" - so the value is set in the session state ready to be used by our region refresh process.

Set Value

Finally I created the following JavaScript snippet and added this to the Execute When Page Loads section of the page definition.

var regionSelectorShown = new Array("Empty");

$(".apex-rds").data("onRegionChange",function(mode,activeTab) {
  if (typeof regionSelectorShown[activeTab.href] === 'undefined') {
    regionSelectorShown[activeTab.href]="Y";
    $(activeTab.href).trigger("apexrefresh");
  }
});

Execute on Page Load

So what is that doing? We are adding a callback on the onRegionChange event, which when triggered adds the name of the region (activeTab.href) to the array regionSelectorShown. This is purely so once we have shown the region within a page, we don't re-execute the query again if the user tabs out and back in again. Then we call the apexrefresh trigger passing in the region name to the jQuery selector - this causes a partial page refresh (PPR) of the region - which now sees the value of :P1_SHOW_DATA as "Y" and thus executes the query in full.
Now we see when we load the page, the region shown first fires the callback and shows initially. Then as we click through other regions, we get the processing icon (whilst waiting for the data to come back via my delay_table function) and the region shows. If we tab out and back in again, we don't re-call the refresh process as the regionSelectorShown array has a value indexed by the region ID indicating we have already shown it and so don't need to again.

Region Loading

 

Region Loaded

As always, there is always room for improvement and extension of this - if you do so then I'd really appreciate it if you could drop me a line in the comments so others can benefit. It would be nice (and I'd have thought relativly easy) if this kind of functionality was considered for inclusion in the standard APEX build as a feature in future releases.

Last modified on Continue reading
Tagged in: APEX
in Technical 530 1
0

Oracle's APEX ships with some great plugins such as D3 Collapsible Treemaps.  The most immediate way to see these is to install the Sample Charts application and have a play with it.

Now it is then fairly striaghtforward to utilise this plug-in in your own APEX applications.  Here I simply exported the plugin from the Sample Chart applications and loaded it into my new application.  I then changed the SQL to drive from my own tables and here we are.  What is appealing about this visualisation is that it shows the number of children under each node before you click to expland.  For example, here I can see that 1200 has 5 children underneath it.

 

I have also used the "Tooltip" funtionality to give me a nice popup description when I "Mouse-over" the node. 

 

 

Also each node can be made as a link that can drill off to show the user further detail, so it does really become quite a useful visualisation that can be used quickly and easily.

The Sample applications that ship with APEX ( and I'm currently using the latest 5.1.1 ) come with quite a few plugins that show off the extensibility of the framework and should give you some ideas on how best to use them, so if you are upgrading from older versions of APEX and making the leap to 5.1 then i'd highly recommend installing  selection of the applications and see what's been shipped there.  Of course this is the release that has finally integrated JET charts and we will cover some of their use and examples such as drilling to detail in a later blog.

 

 

Last modified on Continue reading
Tagged in: APEX APEX 5.1 D3
in Business Intelligence 729 0
0