Oracle APEX Security Tutorial

Learn how to harden your Oracle APEX applications! Prevent cross site scripting, SQL injection and more.

Oracle Application Express (APEX) has many security related features that help developers create applications that are guarded from today’s web based threats. But if developers are unaware of these features, how they work and what they guard against, then it is likely they will create applications with at least a few security holes. In this tutorial you will see demos of certain exploits, including Cross Site Scripting and SQL injection, and subsequently learn how to protect against them using the correct feature(s) in APEX or Oracle in general.

Want more? April 10 INTERMEDIATE APEX Training with Expert Tyson Jouglet!

This free training is segmented into several separate lessons:

  1. Overview (1:21)
  2. Is APEX Secure (1:13)
  3. Controlling Access (0:57)
  4. Authentication Schemes (3:08)
  5. Conditions vs Authorization (12:45)
  6. Protect the Ends (12:45)
  7. Propagate the WHERE (3:47)
  8. Session State Protection (8:44)
  9. Other Session State Protection (3:24) (click on video below)
  10. SQL Injection (5:16)
  11. Cross Site Scripting (9:05)

Date: Sep 27, 2012

Want more? April 10 INTERMEDIATE APEX Training with Expert Tyson Jouglet!

NOTE: Some corporate firewalls will not allow videos hosted by YouTube.


Other Session State Protection

9. Securing Oracle APEX – Other Session State Protection


>> Dan:  What else do you need to worry about when it comes to session state protection? 


One of the most important things are service side validations which prevent of course DOM manipulation. You may give somebody a particular type of control like a select list with a subset of all available options such as departments. You may say, “Well, department 10 is no longer being used.” We’ll use a predicate in the WHERE clause in your item and then they can’t select department 10. 




But using tools like you’ve seen me use today like Firebug – and every browser has them now, you can manipulate the DOM and insert values that weren’t there when the page loaded. Your protection against that is to use validations to validate what you need. 




There are also hidden items and these can be made protected. There’s this protected option with hidden items. A lot of folks don’t quite understand what it means. It doesn’t work like session state protection does. It works a little bit differently and that when the hidden item renders on the page, the value cannot be changed from the time the page loads to the time that it’s submitted. If it is you’ll get another error. So the user won’t see it but even if they did find it, a hacker type was to find it they would not be able to manipulate its value. Read-only is also protected. 




Let’s take a look at some of these. 




Here you have a state select list. And this is a silly example. You probably wouldn’t need to validate this but you see very easily I can see the values. If I want to change these values here, I can certainly do that. 




So selecting Alabama would in fact map Florida to session state and push that into the database. Watch out for that user validations. 


Another one I’ll show you is hidden and protected. Now, this is used all over APEX already. When you go into hidden item like this customer ID, you’ll see that this is value protected. Interestingly enough this is set to no, it should be a yes. So let’s move that to a yes and we’ll run this page. 




And what you’ll see now is – you don’t see the item but it is in fact in the page. 




Here it is. It’s hidden. It has a value of 7. If I would’ve changed this to say 8, what would happen when I submit the page I would actually be pushing all of the data we see here into a completely different user, so to prevent this use hidden and protected. Now I’ve changed the 7 to an 8 and because we said it’s protected, when I hit “Apply Changes” here we get an error. That’s what hidden and protected is. Make sure you’re using that appropriately for the right items.


Copyright 2017

Free Online Registration Required

The tutorial session you want to view requires your registering with us.

It’s fast and easy, and totally FREE.

And best of all, once you are registered, you’ll also have access to all the other 100’s of FREE Video Tutorials we offer!