ApexSec analyses your APEX application for 70 different types of security vulnerability. The vulnerabilities that ApexSec can locate are grouped into classes:
- Access-Control: A common type of vulnerability that can allow users to see data that they shouldn’t.
- Authorisation Inconsistency: Where authorisation is applied to one component but not another corresponding component, allowing users to potentially access functions that are intended to be protected.
- Configuration: Simple best-practice settings that can secure your APEX application.
- Cross-Site Scripting: The most common risk in many web applications that allows an attacker to take control of a legitimate user’s browser and perform actions as that user.
- Data Protection: Settings that can be used to protect the data within your APEX application.
- SQL Injection: A dangerous class of vulnerability that can allow attackers to execute arbitrary SQL queries or PL/SQL statements.
These are the top-level nodes in the Vulnerability Tree of the ApexSec user interface. In addition there is a Warnings entry that contains non-critical security risks and also warnings raised by the ApexSec engine during the security assessment (such as not being able to access tables or packages that are referenced in the APEX application).
Within each class of vulnerability there are several different types of issue that represent the various ways that the risk can be exhibited in APEX applications.