Oracle also gave public credit to Recx ApexSec for helping to secure Apex 4. Request permission to reuse content from this site. Undetected country.
RMOUG 2018 Summer Educational Workshop
NO YES. Selected type: E-Book. Do your IR settings help or hinder end-user performance? Do you know how to make end-user IR searches smarter and faster? We then discuss and demonstrate how typical declarative settings influence end-user performance. How many rows are too many? When does using a select list slow response time? Why are you users not seeing all options? The Raspberry Pi is a wonderful experimentation platform.
Hands-On Training: Build Something! This hands-on lab will introduce you to the the Internet of Things by allowing you to build your own thing and connect it to an Oracle APEX application. Finally, you will build an APEX application to control your thing and report on its data.
Please note there are two scheduled times to see this session. Dynamic Actions are the declarative way for developers to add usability and features to an application. In this session, we will introduce Dynamic Actions by evaluating requirement scenarios that developers may encounter during the usability testing phase of an application.
We will discuss options for improving usability and discuss capabilities of the Dynamic Action features to improve APEX applications. Did you benchmark an application that utilizes polling with more than 1, clients? I did! You should take a look at the result and see how to avoid all those bottlenecks using WebSocket technologies. See how you can utilize WebSockets to send messages to all your clients without wasting your network and database resources. Allow me to prove it!
A performance test will amaze you! One of the most important things are service side validations which prevent of course DOM manipulation. You may give somebody a particular type of control like a select list with a subset of all available options such as departments. Your protection against that is to use validations to validate what you need.
VTLS Chameleon iPortal Browse Results
There are also hidden items and these can be made protected. Read-only is also protected. Here you have a state select list. And this is a silly example. If I want to change these values here, I can certainly do that.
So selecting Alabama would in fact map Florida to session state and push that into the database. Watch out for that user validations. Now, this is used all over APEX already. Interestingly enough this is set to no, it should be a yes. Here it is. It has a value of 7. We have two main classes of vulnerabilities with SQL injection. The first being use of substitution strings, you also have to watch out with dynamic SQL statements which hopefully would be rare. A lot of developers get in the habit of using them perhaps more than they should be or more than they need to.
You should almost never have to use this really. The first thing you need to watch out for is using substitution strings in concatenation. You have to learn the proper way to use bind variables or the V function. We type in a search string, and we get our results. The problem is in the way that this has been implemented. He chose to build up the SQL query.
This is the wrong way to use bind variable syntax in your query. What about all the customers? Now, the weird thing is that you can actually take this further rather than just getting customer-related data. You can learn more about the APEX workspace. We hit go now.
I can find out which items are hidden, which are protected, which are not. I can start to learn about your application to find the exploits. Once someone gets their foot in the door with a SQL injection vulnerability, it gets a lot easier for them to start hacking the rest of your app.
So this is definitely something you have to watch out for. We apply that change, run it and try the same hack. Nothing comes back. So you have to learn how to use bind variables, the V function, execute immediate, dynamic SQL, all this stuff, you have to learn how to use it correctly. You have to watch out for what can happen when they use it a different way. If they put certain tags into fields where the data is the output, later the browser will actually just look at that as though it were a native HTML code for the webpage. So if they put in a script tag, guess what, the browser will execute it.
APEX provides us with some tools to work around this. You actually have to undo them to shoot yourself on the foot. The intent is just to let everybody sort of share their thoughts and be able to comment in a shared location. He took the URL when he was done with it. Now we see create. What it does is not so innocent. Because this is open to the public, you just have to have an account to be able to post.
And then goes to post a new comment. I have to show you another way. He creates this message and it looks innocently enough on the surface. We go back to IE, refresh, go back to Chrome, now we have two. What do I have in here? I have this cookie data. Grabs this value, grabs this value.
So we run this script, it executes and gives us this URL. I must have made a mistake. As I mentioned this is the tough one that could go wrong. In Firefox using — this is not working for me. I seemed to be missing something in the cookie information. I tested this yesterday, it worked just fine.
It could be as dangerous as bringing in code from another site that grabs cookies to do session hijacking. Again, this is not an APEX specific issue. This is something more serious. It has to do with web development in general so you need to lock things down. Using SSL is a step in the right direction in this case. You have this functionality built-in. The default session link is 8 hours max. We actually built a plugin to work with this a little bit better. This will modify that a little bit. It will actually log the user out and take them to the log in screen.
Overview 1. Controlling Access 3.
Authentication Schemes 4. No problem. Protect the Ends 6.
So how would we implement this in APEX? I need to go to the SQL Workshop. We start with 7. There we go. Sorry about that. Session State Protection 8. Can or could you change the app user ID to admin in the address bar? Where were we?
- Hands-On Oracle Application Express Security: Building Secure Apex Applications.
- Hands-On Oracle Application Express Security: Building Secure Apex Applications?
- Download Hands On Oracle Application Express Security Building Secure Apex Applications.
- All About Weimaraner Puppies?
Other Session State Protection 9. SQL Injection This is one simple demo. Log in. Cross Site Scripting Free Online Registration Required. The tutorial session you want to view requires your registering with us.