Oracle Application Express Security Essentials. Security Features for Developers Input/Output Filtering - Cross-Site Scripting (XSS) Review of Application.

<Insert Picture Here>

Oracle Application ExpressSecurity Essentials

Security Features for Developers

• Input/Output Filtering - Cross-Site Scripting (XSS)• Review of Application Express “machinery”• Session State Protection – URL Tampering• Encrypted Session State• Passwords and Session State• Session Expiration

Input/Output Filtering

• Purpose – to help developers prevent cross-site scripting attacks

• How do values get into session state?• User input as form items submitted with page• Item values passed in f?p URL

f?p=100:1:999::::P1_X:100000• Application actions (processes, computations, …)

• :P1_X := ‘foo’;• select sal into :P1_SAL from emp;• apex_util.set_session_state(‘P1_X’, 100000);• set_sal_procedure(:P1_X /* OUT */);

• Automatic input filtering applies to f?p inputs only

Input Filtering

• Page Item Display Types• Form Items

• Checkbox• Date Picker• Hidden• Hidden and Protected• Password• Radiogroup• Select List• Text Field• Text Area• Display as Text (saves state)• ...

• Form items are submitted with page (POSTed)

Input Filtering, cont’d.

• Page Item Display Types, cont’d• Display-Only Items

• Display as Text (does not save state)• For emitting HTML

• Display as Text (based on LOV, does not save state)• Display as Text (based on PLSQL, does not save state)• Display as Text (escape special characters, does not save

state)• Display-Only items cannot be submitted with page (POST)• Display-Only items can be set through URL (f?p)

• This is where automatic input filtering occurs – if item in URL is one of these types, escape sc when saving in session state

Output Filtering• What type of output gets sent to browser?

• Characters that are to be interpreted as HTML or script

• Characters that are to be displayed as text

• When characters are not escaped when they should be, this is the basis of XSS

• Report output – source is database• Developers should use report column type Display as Text (escape

special characters), not Standard Report Column

• Might the data selected from a table contain unexpected script?

• Dynamic PL/SQL (htp.p) – varied sources• Developers must have perfect knowledge of safety of inputs when

assembling output to browser. Where did the input originate, what transforms has it passed through, who might have touched it?

• Referencing session state – Never reference a POSTable item type and emit it to browser unescaped.

Output Filtering, cont’d.• Session State Substitution Syntax

• &P1_X. – item is Display-Only type• &P1_Y. – item is Hidden type

• HTML Region or other textual context• User &P1_X. is logged in.• Value in session state: <b>Scott</b>• Appearance on page: User Scott is logged in.• User &P1_Y. is logged in.• Value in session state: <b>Scott</b>• Appearance on page: User <Scott> is logged in.

• Automatic escaping on output of display-only item types• We know it was not escaped on input, so escape on

output• f?p .. P1_HACK:<script>alert(1);</script>

Output Filtering, cont’d.• Developer Responsibility

• Be able to prove that inputs are safe when assembling output• Always use htf.escape_sc when referencing form items, e.g.,

htp.p(htf.escape_sc( v(‘P1_Y’) ) ); -- where P1_Y is hidden type.

• When setting session state, be conscious of item types and the risk of allowing unsafe characters to corrupt item values• P1_H is a hidden item normally containing safe characters• Hacker uses f?p url to set P1_X:<script>alert(1);</script>• Page 2 gets display-only item value from corrupted hidden

item :P2_D := :P1_H;• Page 2 displays xss alert• HTML region on page 3 reference page 2 display-only

item as &P2_D.• Page 3 displays xss alert

Overview of Moving Parts

• End user clicks f?p linkhttp://apex.oracle.com/pls/otn/f?p=4500:1000:532922333356168

• f calls wwv_flow.show procedure (page show request)• The HTTP listener invokes modplsql which connects to

database using a session obtained from the connection pool.

• modplsql builds and executes an anonymous block that calls the f procedure.

• f parses its input arguments and passes them to wwv_flow directly or sets package variables in the wwv_flow package or other packages for their access.

Moving parts, cont’d.• wwv_flow.show constructs and emits HTML to

browser

• End user uses hyperlinks to navigate to other pages (f?p requests) or submits HTML form page – page POST invokes wwv_flow.accept procedure (page accept request)

• wwv_flow.accept evaluates branches defined on apex page submitted

• When a suitable branch is found, a URL redirect request is issued to initiate the next page show request through f (http:// .. f?p= ..)

Moving parts, cont’d.

Other Paths

• wwv_flow.show -> wwv_flow.show

authentication steps, error pages

• wwv_flow.accept -> wwv_flow.show

Branch to Page or direct branch

To present page validation errors

• wwv_flow.show -> wwv_flow.accept

Branch to Page Accept

• AJAX – xmlhttp request POSTs to wwv_flow.show

© 2009 Oracle Corporation


• The essential parameter to f is p (f?p= …)application:page:session:request:debug:cc:inames:ivalues:pf

• Other parameters• p_trace - Turn on database session tracing• c – workspace identifier• pg_min_row, pg_max_rows – report pagination

• Above parameters are passed to wwv_flow.show directly


wwv_flow.show (

p_flow_id => 100,

p_flow_step_id => 1,

p_instance => 999,

p_request => null,

p_debug => 'NO',

p_clear_cache => null,

p_arg_names => 'P1_ID',

p_arg_values => '32',

p_printer_friendly => 'NO'

p_trace => 'YES',

p_company => 'DEV'

);

f?p=100:1:999::NO::P1_ID:32&p_trace=YES&c=DEV


Parameters that cannot be passed to wwv_flow.show directly:

• success_msg• notification_msg• cs (Session State Protection checksum)

• f assigns these parameter values to package variables

• cannot be set by end user calling f or show procedures

• message content protected against cross-site scripting

• security variables remain secure


Moving Parts, cont’d.

wwv_flow.show

Inputs

Application IDPage IDSession IDWorkspace IDRequest

Page and Application Item NamesPage and Application Item Values

Ajax Controls, Scalar and Array ValuesChecksums and other Security ValuesDebug and Trace Flags

wwv_flow.accept

Inputs

Application IDPage IDSession IDWorkspace IDRequest

Page Item IDsPage Item Values (scalar or array)

Dynamically Generated Values (array)Checksums and other Security ValuesDebug and Trace Flags


Session State Protection

• Feature first appeared in 2.0

• Prevent URL tampering

• User can change empno value to cause record to be selected for different emp

• First level of protection against “mis-navigation”

• Authorization must still be used in all the right places, e.g., if authenticated user has no business seeing EMP row for EMPNO 7839, authorization must prevent that.

• f?p=100:1:999::NO::P1_EMPNO:7839

• Helps developers build applications that insist on being operated as intended

• Don’t let users run pages with arbitrary or experimental input values in f?p URL

• Require users to use application’s navigational aids

• Discourage use of browser back button

• Don’t let users jump into the middle of multi-step page sequences like wizards



• Method: Generate checksummed URLs to apex pages

• f?p=211:2:999:req:NO::P2_ITEM1,P2_ITEM2:abc,def

&cs=350B21557A3A3338EBB124CDE2F3333C8

• When apex engine generates links for page branches, list item targets, parent tab targets, breadcrumbs, button redirect URLs, report column links, calendar links, etc., it appends the &cs argument to f

• Checksum is computed over request, clear-cache, and item names/values

• If user alters the URL, checksum verification will fail when show is called by f

• Checksum is md5 hash of values along with a session-specific salt



• Pages have SSP attribute Page Access Protection – edit page definition

• Unrestricted - when SSP is not used by the page

• Arguments Must Have Checksum

• If URL contains request, clear-cache, item names/item values then &cs= argument must be in URL for verification

• No Arguments Allowed

• Navigation to page is allowed but no request, clear-cache, item names/values are allowed, e.g., f?p=211:2:999

• No URL Access

• Direct branch only may access page



• Display-Only items and Application items have a useful security attribute that can be used whether SSP is enabled or not

• Edit item security attributes and select Restricted: May not be set from browser - The item may not be altered via the URL.

• Use this when you want to restrict the way that the item value can be set to internal processes, computations, etc.

• When SSP is enabled for the application, non-restricted items can have one of these Item Protection Level settings:

• Unrestricted – no checksum necessary to set item in URL

• Checksum Required: Session Level

• Checksum Required: User Level

• Checksum Required: Application Level



f?p=211:2:999:req:NO::P2_ITEM1,P2_ITEM2:abc,def

&cs=350B21557A3A3338EBB124CDE2F3333C8

• Does application 211 have SSP enabled?

• Does page 2 require a checksum?

• Is the checksum correct (req, cc, names, values)

• Begin saving items in session state. For each item:

• Does item require a checksum and what type?

• Is checksum level set by f in wwv_flow global >= item checksum type required (3, 2, or 1)?

• Prevent request to unprotected page 3 from allowing P2_ITEM1 being set:

f?p=211:3:999:req:NO::P2_ITEM1



f?p=211:2:999:req:NO::P2_ITEM1,P2_ITEM2:abc,def

&cs=250B21557A3A3338EBB124CDE2F3333C8

• User likes this link and wants to bookmark it

• Your application generated authorized values for this authenticated user

• Specify Checksum Required: User Level in Item Protection Level attributes

• User will be able to bookmark link and use it in a different session

• Specify Checksum Required: Application Level in Item Protection Level attributes to allow bookmarked links to be re-used by any user of this application in the current workspace in a new session

• Checksum salt used for bookmark-able links use a salt saved as an application attribute

• Home>Application Builder>Application 211>Shared Components>Edit Security Attributes

Allow URLs Created After: 02/27/2009 04:31:51 AM

Button: Expire Bookmarks



• To dynamically generate links with checksums

apex_util package

prepare_url(

p_url in varchar2,

p_url_charset in varchar2 default null,

p_checksum_type in varchar2 default null)

• p_checksum_type

• ‘3’ or ‘SESSION’

• ‘2’ or ‘PRIVATE_BOOKMARK’

• ’1’ or PUBLIC_BOOKMARK’



• Feature easy to turn SSP on/off for an application

• During development, this can be useful

• You don’t lose your settings when you disable SSP

• Developer can use wizard to set page and item attributes for entire application

• Easy to adjust page/item SSP attributes individually

• Feature should be enabled by default when application is created – maybe for next release

• Important to remember to set both page and item attributes when first setting it up.


Session Expiration

3.2 Feature - Session expiration application attributes

Home>Application Builder>Application 211>Shared Components>Edit Security Attributes

• Maximum Session Length in Seconds – wall clock time session can exist• Session Timeout URL – for public page to tell user what happened• Maximum Session Idle Time in Seconds - wall clock time session be idle• Idle Timeout – for public page to tell user what happened• API provided to programmatically adjust either limit (apex_util)

procedure set_session_lifetime_seconds( p_seconds in number, p_scope in varchar2 default 'SESSION');

procedure set_session_max_idle_seconds( p_seconds in number, p_scope in varchar2 default 'SESSION');


Session State Encryption

3.2 Feature - Session state encryption for page item values

Home>Application Builder>Application 9188>Page 7>Edit Page Item

Store value encrypted in session state Yes/No• When item is saved in session state table, it is encrypted. This protects sensitive data

from unauthorized view by those with access to database tables, backups, etc.• When the item is referenced within the application, it is decrypted.• Not possible to pass encrypted value in URL. Developers should avoid passing these

values in links.• DBMS_CRYPTO used with a salt generated during the installation of Application

Express and saved in SYS schema


Non-persistent Password Item Type

3.2 Feature – Non-persistent password item type

• Passwords that are entered in a form and processed during that page’s after-submit processing can use the new Password (does not save state) item type

• Apex engine simply skips the step that would ordinarily write submitted item values to the session state table.

• Page item value can be referenced during after-submit validations, computations,processes, and by compiled PL/SQL called from those components during the lifetime of the HTTP request used to submit the page. After that, there is no record of the item value.

• During upgrade to 3.2, all “old” password item types in applications are converted to use the encryption feature.

• Apex provides new reports so developers can see at-risk password types in an application, i.e., those that use the “old” password type and also do not use the encryption feature.

Oracle Application Express Security Essentials. Security Features for Developers Input/Output Filtering - Cross-Site Scripting (XSS) Review of Application.

Documents

hidden item

item valuesp1

item typeswe

text saves state

postable item type

text escape special

automatic input filtering

conscious of item types