Following on from my last blog, which focused on configuring access control within Apex, the focus of this blog is protecting the session state within an application. We will look at the common issues faced by developers and the tools available within Apex to protect your application.
Web based applications must protect against a URL being tampered with. If the session state is not protected then a malicious user could control how an application behaves by altering the URL. This blog will highlight the main areas of an application that are at risk of URL tampering and will provide the Apex based solution for each problem.
If a hidden item does not need to be altered by the client then Apex allows you to set the hidden item to be ‘Hidden and Protected’. This means that whenever the item is used, the value is checked against the server to ensure that no modification has occurred.
Within Apex, Session State Protection should be set to Restricted for all items that control page functionality. A checksum should be required for all items that are passed over the URL to ensure that a user cannot directly change URL values to alter page functionality.
If a user’s session is not properly protected on a page level, it may be possible for a malicious user to alter the page, cache and items from within the URL.
At page level, Apex includes various protection options to control how pages in an application are accessed. As with item protection, a checksum should be passed within a URL to prevent page and cache alterations through URL tampering. If no page items are passed in the URL then the No Arguments Allowed option can be configured for the page to stop any access to page functionality through the URL.
As you can see, it is important to protect your pages and items that make up your application from being used in any unintended way. Apex includes a variety of in-built options to allow you to easily protect your pages without any extra work. Remember to come back for the final blog in this series, which will discuss how Apex can be easily configured to prevent SQL injection and cross site scripting attacks.
Author: Craig Sykes
Job Title: Senior Oracle Development Consultant
Bio: Craig is a Senior Development Consultant at DSP-Explorer. Craig has an MSc in Computing Science and is an experienced software engineer, utilising development tools such as PL/SQL and APEX to provide bespoke ERP software to both UK and international businesses. Craig has experience developing solutions to connect Oracle systems to a wide range of existing external applications within business environments.