Click to view the tutorial video.
To create a new project, either use File | New Project option, or click on the “Click here to create a New Project…” link in the Welcome panel.
For ApexSec to perform a security analysis it needs to know how you would like to retrieve your APEX application. There are four ways that ApexSec can access your APEX applications:
- Retrieve application from the APEX Application Builder URL (using HTTP).
- Retrieve application from a database APEX workspace schema (using a TNS connection via the Oracle JDBC driver).
- Retrieve application from an APEX application export. SQL file or Zip file.
- Import Application and Additional SQL sources from a directory.
ApexSec automatically accesses the schemas for tables that are used by your APEX application and processes packages containing procedures and functions that are called by your APEX application, when using a connection to the APEX Application Builder or a TNS connection to the database (options 1 & 2 above). When using options 3 or 4, the associated packages, table schemas, synonyms and views must be included within the “Install Scripts” of your application or in the Zip folder/Directory in order for ApexSec to be able to access them.
The ApexSec Application Builder integration (which allows you to click through from a security risk found by ApexSec directly into the Application Builder in order to rectify the problem) is only available when your project is based on a connection to the APEX Application Builder workspace (option 1 above).
| Project Type | Reads Table Schemas and Packages? | Enables APEX Application Builder integration? |
|---|---|---|
| 1. Retrieve application from the APEX Application Builder URL | Yes | Yes |
| 2. Retrieve application from a database APEX workspace schema | Yes | No |
| 3. Retrieve application from an APEX application export | Only if table schemas, synonyms, views and packages are included in the APEX export, Zip folder or Directory. | No |
| 4. Import Application and Additional SQL sources from a directory | Only if table schemas, synonyms, views and packages are included in the APEX export, Zip folder or Directory. | No |
APEX Application Builder URL
ApexSec can access APEX applications using the APEX Application Builder. This makes an HTTP connection to the URL and authenticates to your workspace to retrieve the APEX application and dependent table schemas and packages.
To allow ApexSec to connect to the APEX Application Builder you need to provide:
- APEX Web URL: The URL of the APEX Application Builder in your environment, such as http://apex.oracle.com/pls/apex/.
- Workspace: The name of your APEX workspace (don’t use the INTERNAL workspace, as there are no applications in it).
- User Name: The username for your APEX Application Builder workspace.
- Password: Your password for the above account.
When the entered details are correct and ApexSec can connect to the specified URL the Application Chooser is displayed to allow you to select the APEX application you wish to perform the security assessment on. Any connection errors are displayed in the Messages box, and are generally due to network connectivity issues with the specified URL, or incorrect Workspace/Username/Password combinations.
Database APEX Workspace Schema
When connecting to an Oracle database, ApexSec requires the following information:
- Server Address: The IP address or resolvable DNS name of the Oracle database server.
- Server Port: The TCP port for the Oracle listener on the server.
- SID: The database Oracle System ID (SID) that contains your APEX application.
- User: The name of the schema that contains your APEX applications, or the name of a user who has APEX_ADMINISTRATOR_ROLE privileges.
- Password: The password that corresponds to the user/schema above.
These are the same details that are required by the SqlDeveloper or Toad tools when accessing your Oracle instance.
For convenience the Server Address, Server Port and SID can be read from the local naming parameters (tnsnames.ora) file. If you have a tnsnames.ora file on your computer, click Browse and navigate to the file. The connection details will then be completed (and the location of the tnsnames.ora file and connection information is saved in ApexSec’s preferences). You then just need to enter the User and Password for the connection.
When these details are correct, the Application Chooser will be displayed, listing the applications that ApexSec can access in your database. Any error that occurs during the connection is displayed in the Messages box. Common errors are due to invalid Address/Port/SID combinations, or credentials that are incorrect.
Granting the APEX_ADMINISTRATOR_ROLE allows a user to see all APEX applications within the database, across all workspaces and schemas. This can be granted by a SYSDBA user using SQLPLUS or SqlDeveloper with the following PL/SQL statement:GRANT APEX_ADMINISTRATOR_ROLE to bob
APEX Export SQL or Zip File
Click to view the “Exporting an application from Oracle APEX” tutorial video.
ApexSec can process an APEX application that has been exported to an SQL file. This is useful when neither a database connection nor an APEX Application Builder connection can be established (for example if you are working off-site, or are not connected to a network).
ApexSec simply needs to know where your APEX export is located on your computer; use the Browse button to open the standard file system browser dialog to navigate to the location of your export and select it. ApexSec then processes the export file and performs the security analysis. ApexSec now has the ability to scan a Zip file containing the export and any associated packages, table schemas, synonyms and views. As mentioned above, if you choose to use just the export file, these must be included in the “Install Scripts” of your application to ensure a complete analysis.
Import Application and Additional SQL sources from a directory
ApexSec can also process an APEX application and additional SQL Sources from a directory. This works in the same way as using a Zip file. The application export (SQL file) and any associated packages, table schemas, synonyms and views must be included for a complete analysis.
Dynamically Scanning Packages and Calls.
You can now choose whether or not to include packages and calls in the scan of your application. For better performance leave this option unchecked.
| << Previous Section: Running ApexSec | Next Section: User Interface>> |