Presentation is loading. Please wait.

Presentation is loading. Please wait.

© LogicaCMG 2006. All rights reserved How to Make Your Oracle APEX Application Secure Peter Lorenzen Technology Manager WM-data Denmark a LogicaCMG Company.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "© LogicaCMG 2006. All rights reserved How to Make Your Oracle APEX Application Secure Peter Lorenzen Technology Manager WM-data Denmark a LogicaCMG Company."— Presentation transcript:

1 © LogicaCMG 2006. All rights reserved How to Make Your Oracle APEX Application Secure Peter Lorenzen Technology Manager WM-data Denmark a LogicaCMG Company peloz@wmdata.com 1

2 Presentation Target audience is developers Focus is on how to prevent hackers from gaining access In terms of what I believe an APEX developer in a small shop, without a fulltime security expert or DBA, should know More an overview of security threats and countermeasures than a thorough analysis Point you to resources with more information about the different subjects Assumption: An application that –is accessed from the Internet –contains valuable and secret information 2

3 APEX Project References The Danish Department of Prisons and Probation uses APEX in the process of deciding in which facility a client should serve RTX Telecom uses APEX to control DECT cordless telephones in Rumania Naturgas Fyn is a provider of natural gas in Denmark. Currently we are developing a system that calculates the amount of gas that is needed from each gas provider the following day 3

4 Agenda Intro Architecture –HTTP Servers –Choosing an Architecture Hardening the Architecture –Patching –Hardening the Database –Hardening the HTTP Web Server Specific Threats –Cross-Site Scripting –SQL Injection Hardening APEX –Miscellaneous Conclusion 4

5 Intro – Security, what security? 5 A security company estimates that there are a 71% likelihood that a Website has a Cross-Site Scripting vulnerability and 20% for a SQL Injection

6 Architecture Oracle 9i/10g Database Oracle Express Edition Oracle 9i/10g Database Oracle Express Edition Oracle HTTP Server (Database Companion CD) Oracle HTTP Server (Oracle Application Server) Oracle XML DB HTTP Server Oracle HTTP Server (Database Companion CD) Oracle HTTP Server (Oracle Application Server) Oracle XML DB HTTP Server HTTP server 6 APEX Components There is such a thing as too cheap

7 Architecture Oracle HTTP Server (OHS) Oracle XML DB HTTP Server TechnologyApache 1.3.xDeveloped by Oracle. Builds on the Oracle Shared Server architecture Database “connection”mod_plsqlEmbedded PL/SQL Gateway 7 Which HTTP Server to Use? Use known technology

8 Architecture Minimum mod_proxy Only HTTP communication 8 Proxy HTTP Servers –Standard Apache 1.3/2.0 HTTP Server –OHS based on an Apache 2.0.x HTTP Server "Security is an architecture, not an appliance” - Art Wittman Database + HTTP server

9 Architecture Using Secure Sockets Layer (SSL) encryption SSL? 9 Security measures should match the risk and the value of the secured application/data Database + HTTP server

10 Hardening the Architecture Patch, Patch, Patch –Critical Patch Update (CPU) –Oracle Security Alerts –Remember regular Patch Sets –The Oracle HTTP Server – Patches from Oracle –Standard Apache HTTP Servers – Patches from Apache –Remember the OS –Patching can be difficult! 10 Patching should be part of the daily operations.

11 Hardening the Architecture Hardening the Database –Do not use the free Express Edition (XE) database The simple stuff –Follow the principle of least privilege –Lock or remove unused users –Use sensible passwords –SYS password != SYSTEM password Must-reads –Oracle Database Security Checklist –“Hacking and Securing Oracle - A Guide To Oracle Security” by Pete Finnigan A good place to start –Oracles Project Lockdown 11 Use checklists and adopt best practices

12 Hardening the Architecture Hardening the Apache HTTP Web Server –Remove pre-loaded modules –Remove pre-installed content –Don’t publicize names/versions of your running software Comprehensive Checklists –“Securing Oracle Application Server” by Caleb Sima –“Hardening Oracle Application Server 9i and 10g” by Alexander Kornbrust ServerSignature Off (Removes server information from error pages) ServerTokens Prod (Removes server version from the HTTP header) ServerSignature Off (Removes server information from error pages) ServerTokens Prod (Removes server version from the HTTP header) 12 Give away as little as possible about yourself

13 Specific Threats - Cross-Site Scripting (XSS) Simple definition –Attacker injects JavaScript in an application in order to steal data or corrupt the application Quick example in APEX –Create a Form on a table of type “Form on a Table with Report” –Run the Report and create a row with this data in a VARCHAR2 column –When you press Create and branch back to the Report the JavaScript is executed Test alert(‘Hello world’); 13

14 Specific Threats - Cross-Site Scripting Fix: Escape Special characters like,& Change Display as Standard Report Column Display as text (escape special characters, does not save state) Standard Report Column Display as text (escape special characters, does not save state) 14

15 Specific Threats - Cross-Site Scripting Escaping is the weapon of choice when dealing with XSS threats Escape all output The page source will now look like this In PL/SQL use this function: HTF.escape_sc Read about safe items in the User’s Guide 15 Test<script>alert('Hello world');</script> Don’t trust any input from the end-user

16 Specific Threats - SQL Injection Definition –An attacker inputs extra SQL in an application Simple example in APEX –Report based on a SQL Query –The P1_ENAME item is input by a user –If an user input the text below all rows will be shown –The fix for this specific situation is to use bind variables select job, sal from emp where ename = '&P1_ENAME.' qwerty' or 1=1-- select job, sal from emp where ename = :P1_ENAME 16

17 Specific Threats - SQL Injection Take care when an end-user can input text that is used in DML Watch out for concatenation of user input in DML Take care when using Dynamic SQL Validate end-user input: –Check for max. length –Check for parentheses, comments (--, /* */) –Validate the input against a table DBMS_SQL or Native Dynamic SQL e.g. Execute Immediate DBMS_SQL or Native Dynamic SQL e.g. Execute Immediate 17 Always use Bind Variables!

18 Hardening APEX Session State Protection (SSP) APEX URL APEX URL with SSP checksum Use APEX_UTIL.prepare_url to generate checksum from PL/SQL SSP should not be the only security measure! –Also check in the database Via triggers Virtual Private Database (VPD) f?p=101:7:2564045792426426::::P7_USER_ID:99 f?p=101:7:2564045792426426::::P7_USER_ID:99&cs=38D6164631F9364754257F3 18 42 Always use Session State Protection

19 Hardening APEX Security Options in the Administration Services (Options for you production system) –Disable Administrator Login –Disable Workspace Login –Restrict Access by IP Address –Workspace Password Policy Miscellaneous –Debugging should be disabled –Build Status should be Run Application Only 19 Lock down your production system

20 Hardening APEX Obfuscate the APEX_PUBLIC_USER Password –Use the dadTool.pl script –If you use marvel.conf rename it temporarily to dads.conf Checkboxes, Radio Buttons and Select Lists can be converted to text input –Always validate input! 20 Example using the Web Developer Firefox add-on

21 Secure Sockets Layer (SSL) encryption Check How-to’s on the APEX Wiki –Using SSL with the Oracle HTTP Server –Using SSL with the Oracle XML DB HTTP Server 21

22 Conclusion Security is important Create a sensible architecture Use SSL encryption Patch everything Harden the database and the Apache HTTP Server Escape output to prevent Cross-Site Scripting Validate input to prevent SQL Injection Use Session State Protection Prevent admin and development access to the production APEX installation Obfuscate the APEX_PUBLIC_USER password Always validate input from Checkboxes, Radio buttons, Select lists, etc. 22

23 How to Make Your Oracle APEX Application Secure Questions? 23 For More Information CPU and Security Alerts http://tinyurl.com/5dhto Oracle Database Security Checklist http://tinyurl.com/ytake2 “Hacking and Securing Oracle - A Guide To Oracle Security” by Pete Finnigan http://tinyurl.com/28jrt7 Oracles Project Lockdown http://tinyurl.com/24s4nf “Securing Oracle Application Server” by Caleb Sima http://tinyurl.com/2ey89a “Hardening Oracle Application Server 9i and 10g” by Alexander Kornbrust http://tinyurl.com/2x5h3h APEX Wiki http://tinyurl.com/2zosrp For More Information CPU and Security Alerts http://tinyurl.com/5dhto Oracle Database Security Checklist http://tinyurl.com/ytake2 “Hacking and Securing Oracle - A Guide To Oracle Security” by Pete Finnigan http://tinyurl.com/28jrt7 Oracles Project Lockdown http://tinyurl.com/24s4nf “Securing Oracle Application Server” by Caleb Sima http://tinyurl.com/2ey89a “Hardening Oracle Application Server 9i and 10g” by Alexander Kornbrust http://tinyurl.com/2x5h3h APEX Wiki http://tinyurl.com/2zosrp Contact Information Peter Lorenzen peloz@wmdata.com Contact Information Peter Lorenzen peloz@wmdata.com

Download ppt "© LogicaCMG 2006. All rights reserved How to Make Your Oracle APEX Application Secure Peter Lorenzen Technology Manager WM-data Denmark a LogicaCMG Company."

Similar presentations

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Steal the Show with ApEx Oracle Open World, November 13, 2007 Bill Holtzman National Air Traffic Controllers Association.

Steal the Show with ApEx Oracle Open World, November 13, 2007 Bill Holtzman National Air Traffic Controllers Association.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
© LogicaCMG 2006. All rights reserved How to Make Your Oracle APEX Application Secure Peter Lorenzen Technology Manager WM-data Denmark a LogicaCMG Company.

© LogicaCMG All rights reserved How to Make Your Oracle APEX Application Secure Peter Lorenzen Technology Manager WM-data Denmark a LogicaCMG Company.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,

IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Similar presentations

Ads by Google