Building Secure APEX Applications
Our book takes a lead-by-example approach to demonstrate attacks against security vulnerabilities in APEX applications. We show the reader how simple mistakes can open up risks in APEX applications, and then guide them through using simple “hacker” techniques to exploit the issues. The reader is then shown the correct way to secure their application so such exploitation is not possible. The book also covers Access Control, Cross-Site Scripting, SQL Injection and the APEX Item Protection mechanisms.
Many of the examples in the book have been stripped down to be simple, to show the core problems and solutions. We also list some more complex examples taken from real-world applications (suitably anonymised!) to ground the security risks. Explanations of why the fixes are relevant and the impact of attacks are also included.
We hope our examples and explanations help APEX developers create secure applications.
To give you a taste of what to expect in the book we have produced a series of short videos that run through the examples from the “SQL Injection” chapter of the book.
Cursors Example Code
declare TYPE cur_typ IS REF CURSOR; l_cur cur_typ; l_sql VARCHAR(256); l_data VARCHAR(256); begin htp.p('<table>'); l_sql := 'select dname from dept where deptno = ' || nvl(:P3_DEPTNO,0); open l_cur for l_sql; loop fetch l_cur into l_data; exit when l_cur%NOTFOUND; htp.p('<tr><td>' || l_data || '</td></tr>'); end loop; close l_cur; htp.p('</table>'); end;
APEX API Example Code
declare l_query varchar2(2000); begin if APEX_COLLECTION.COLLECTION_EXISTS( p_collection_name => 'TEMPEMP') then APEX_COLLECTION.DELETE_COLLECTION(p_collection_name => 'TEMPEMP'); end if; l_query := 'SELECT empno,ename,sal FROM emp WHERE job = ''' || :P4_JOB || ''''; APEX_COLLECTION.CREATE_COLLECTION_FROM_QUERY( p_collection_name => 'TEMPEMP', p_query => l_query); end ;
Function Returning SQL Query Example Code
declare l_query VARCHAR2(1024); l_where VARCHAR2(1024); begin l_query := 'select dname,deptno from dept'; if :P5_MATCH is not null then l_where := ' where dname like ''%' || :P5_MATCH || '%'''; l_query := l_query || ' ' || l_where; end if; return l_query; end;
Purchase our book from any of the retailers listed above to get a more in-depth explanation of the vulnerabilities and solutions included within these videos as well as a wide range of other topics including Access Control, Cross-Site Scripting, Item Protection and other ever-present security risks within APEX applications.