File Library

Securing Oracle APEX - Cross-Site Scripting
Topic: Application Express
Owner: Nathan Catlow
Date: 2013-05-28
Subtopic: Tips and Techniques

The presentation is structured as follows:

- Introduction
- Overview of Apex Security
- Description of Cross-Site Scripting
- Demonstration of a privilege escalation vulnerability via a Cross-Site Scripting attack
- Top five Areas of Apex that are most susceptible to Cross-Site Scripting
- #1 - Report Columns
- #2 - Direct Output
- #3 - JavaScript
- #4 - Item Escaping
- #5 - Plugins
- Overview of the less common areas in Apex that suffer from Cross-Site Scripting (HTML Expressions, Pre-Post Text, Substitution Variables, Select Lists, Rich Text etc....)
- Using Apex API to escape into the correct context (HTML, Url, JavaScript)
- Demonstration of username/password collection via a Cross-Site Scripting attack
- Tips to help reduce the risks
- Summary and Questions

The demonstrations serve to exhibit the problem of Cross Site Scripting and the power of such security vulnerabilities in Apex applications. The most common type of Cross Site Scripting in Apex applications will be presented with details on how to correct the issues within Apex. The demos and samples are sanitised versions of real-world code that we have seen while performing security consultancy for our customers.

Download File   Presentation.pdf

Become a member of ODTUG to gain access to more than 12,500 files in our technical database.

  • Not a member? Click through to the topic of interest to browse a list of available presentations.
  • Already a member? Log-in here to access the full database

Click here to see the Full Techincal Resource Database