Reputation: 11
Oracle APEX Security Tips?
I have a suite of Oracle Apex based applications due to have a security test. Does anyone have any tips on what I should look for to tighten things up?
Upvotes: 0
Views: 1958
Answers (1)
Reputation: 101
The thing with Apex applications is that the underlying code is all PL/SQL, so it is no surprise that the major class of vulnerability affecting Apex application is SQL Injection.
You need to make sure that you do not use substitution variables (e.g. &P1_TEST.) as these almost always lead to exploitable injection. When they are used within PL/SQL begin/end blocks the injection is very "powerful" as an attacker can specify an arbitrary number of PL/SQL statements.
Many Apex apps use dynamic SQL (where a query is constructed in a string and then executed), either through direct calls to EXECUTE IMMEDIATE or through Apex FUNCTION_RETURNING_SQL blocks. Dynamic SQL is almost always a bad idea.
You'll also find quite a bit of Cross-Site Scripting in Apex apps, where input from users, or from queries run against the database is not escaped. The various Apex reports provide settings to enable escaping but these may not have been chosen when the report was defined.
Also consider the access-control model and ensure all the pages are protected with appropriate authorisation schemes. Do not use the APEX_APPLICATION_FILES table if you're storing uploads as that doesn't protect against unauthenticated downloads.
Hope that helps, and good luck!
Upvotes: 1
Related Questions
- How to secure my oracle apex source code deployed user's machine
- Oracle Apex Security HTTP-ONLY
- Oracle APEX application security while IMPORT/EXPORT application to new environment
- Restrict user access
- how to Secure Oracle APEX application export from updating/copying
- Oracle Secure Usage of SQL script
- How can I secure my database connections to Oracle?
- How to secure an oracle 12c standard edition database connection?
- Secure code block execution in Oracle
- Apex "security module"?