Transcript

Cross Site Scripting

11. Securing Oracle APEX – Cross Site Scripting XSS

 

>> Dan:  Let’s look at another vulnerability. This one’s called cross-site scripting. 

 

[pause]

 

When we create forms for end users we expect them to use them as we design them, but they’re not tied to that. They don’t have to. You have to watch out for what can happen when they use it a different way. 

 

[pause]

 

If they put certain tags into fields where the data is the output, later the browser will actually just look at that as though it were a native HTML code for the webpage. So if they put in a script tag, guess what, the browser will execute it. 

 

[pause]

 

APEX provides us with some tools to work around this. One of the neat things is that as APEX has become more and more hardened over the years is that they’re now on by default. You actually have to undo them to shoot yourself on the foot. And that’s just what our developer ILOVETODEV has done here. 

 

[pause]

 

This is by far the hardest demo, so fingers crossed, I get this one right. 

 

[pause]

 

What I’m going to show you is a session hijacking demo. ILOVETODEV innocently enough created this app. 

 

[pause]

 

It’s called the shout out app. The intent is just to let everybody sort of share their thoughts and be able to comment in a shared location. ILOVETODEV spent some time locking this app down so that only certain people could do certain things. He took the URL when he was done with it. 

 

[pause]

 

And I’m coming now in IE. 

 

[pause]

 

He gave this to ILOVETOADMIN. So ILOVETOADMIN goes to log in. 

 

[pause]

 

Now we see create. So ILOVETOADMIN can come over here and create a message and ILOVETOADMIN has this nice HTML editor so he can come in here and make things look really weird if he wants and hit “Create.” 

 

Oops we got a date there. 

 

[pause]

 

And then there’s the message for all the world to see because the app does not require authentication. 

 

ILOVETOHACK finds out about this app, he can see the page, he can see that there is a vulnerability. So ILOVETOHACK goes and creates their own workspace, HACKER, and gets logged in. 

 

[pause]

 

ILOVETOHACK then creates an application and inside the application in the shared components places an application level process innocently named GET REPORT DETAILS. What it does is not so innocent. What it’s doing with some variables declared, it’s getting cookie values from the request. It’s then looping through them building up a string and inserting both some cookie data as well as the URL. It’s passed to it into a table called hacked sessions. 

 

But how is this going to work in ILOVETODEV’s application? Well, now ILOVETOHACK gets the URL to the application as well. 

 

[pause]

 

ILOVETOHACK is in this browser, punches it in, gets logged in. Because this is open to the public, you just have to have an account to be able to post. And then goes to post a new comment. But what ILOVETOHACK post is not so innocent. 

 

[pause]

 

To do it he goes to the source and pastes something in. Let’s take a look at this. 

 

[pause]

 

I have to show you another way. Anyway, I’m going to go ahead and post this in here. We’ll just go through it really slowly I guess. 

 

You can see in the beginning some regular HTML but then come a script and what happens here is some AJAX. This is an AJAX call out and it’s going to the app that ILOVETOHACK created and it’s calling that app level process passing along some information and at the very end another nice easy message. 

 

[pause] 

 

He creates this message and it looks innocently enough on the surface. But what happens here with ILOVETOADMIN, just a simple refresh of the page and they fall into the trap. Because they see this message, what ILOVETOHACK needed has already happened. 

 

So if we go back to ILOVETOHACK, get him logged in, and go to the SQL workshop. Let’s do object browser actually. 

 

[pause]

 

Here’s a table called hacked sessions. So there’s one row in it right now. We go back to IE, refresh, go back to Chrome, now we have two. 

 

What do I have in here? I have this cookie data. It doesn’t really mean much to me but ILOVETOHACK, because he’s a good hacker, has a little script ready. Grabs this value, grabs this value. 

 

[pause]

 

And brings the script in into a browser that they’re like to work with. I’m going to use IE here – I’m sorry, Firefox here. I’m going to open up Firebug and I’ll show you the script. 

 

[pause]

 

Here’s the console, paste it in here. ILOVETOHACK then takes the cookie values they got as well as the URL that was given to them and they can run a script like this. It’s basically splitting up the string into a number of cookies then calling the set cookie function for each and every one it finds basically recreating the functions that were over here in IE inside now of Firefox. 

 

So we run this script, it executes and gives us this URL. We know this is the URL we’re trying to use up here. 

 

[pause]

 

And that failed for me. 

 

[pause]

 

I must have made a mistake. Let’s try it one more time. As I mentioned this is the tough one that could go wrong. 

 

[pause]

 

In Firefox using – this is not working for me. I seemed to be missing something in the cookie information. But you’ll have to take my word it. I tested this yesterday, it worked just fine. Unfortunately, that didn’t work but I think you get the idea. 

 

Cross-site scripting is a serious problem where – I’m showing you one demo here. It can be as simple as an alert which isn’t very dangerous but is certainly annoying. It could be as dangerous as bringing in code from another site that grabs cookies to do session hijacking. 

 

Again, this is not an APEX specific issue. This is something more serious. It has to do with web development in general so you need to lock things down. Using SSL is a step in the right direction in this case. 

 

[pause]

 

Session timeouts – one last thing I’ll mention here is session timeouts. You have this functionality built-in. The default session link is 8 hours max. There’s a session idle time you can configure too. We actually built a plugin to work with this a little bit better. It works like a bank when the idle time runs out you go to lunch, you come back, and it looks like it’s still logged in to APEX and you’re not. This will modify that a little bit. It will actually log the user out and take them to the log in screen.

 

Copyright SkillBuilders.com 2017

×
Free Online Registration Required

The tutorial session you want to view requires your registering with us.

It’s fast and easy, and totally FREE.

And best of all, once you are registered, you’ll also have access to all the other 100’s of FREE Video Tutorials we offer!

 

×