Following on from my last blog, which focused on configuring access control within Apex, the focus of this blog is protecting the session state within an application. We will look at the common issues faced by developers and the tools available within Apex to protect your application.
Part 2 – Session State Protection
Web based applications must protect against a URL being tampered with. If the session state is not protected then a malicious user could control how an application behaves by altering the URL. This blog will highlight the main areas of an application that are at risk of URL tampering and will provide the Apex based solution for each problem.
Hidden Items
Problem
Hidden items are often used to control the functionality of a page by storing data out of site of the user and then performing page actions based on the item value. It is possible to alter items on the page using javascript and URL tampering even if they are hidden from view. A malicious user could manually alter the values of hidden items causing your application to function in an unintended way.
Solution
If a hidden item does not need to be altered by the client then Apex allows you to set the hidden item to be ‘Hidden and Protected’. This means that whenever the item is used, the value is checked against the server to ensure that no modification has occurred.
Item Protection
Problem
Visible page items are often used to control application functionality, but can again be manipulated out of context using javascript by malicious users. The same goes for items set by passing values across the URL. Failing to protect these items could lead to an attack by a user altering these item values to activate undesired page functionality.
Solution
Within Apex, Session State Protection should be set to Restricted for all items that control page functionality. A checksum should be required for all items that are passed over the URL to ensure that a user cannot directly change URL values to alter page functionality.
Page Protection
Problem
If a user’s session is not properly protected on a page level, it may be possible for a malicious user to alter the page, cache and items from within the URL.
Solution
At page level, Apex includes various protection options to control how pages in an application are accessed. As with item protection, a checksum should be passed within a URL to prevent page and cache alterations through URL tampering. If no page items are passed in the URL then the No Arguments Allowed option can be configured for the page to stop any access to page functionality through the URL.
As you can see, it is important to protect your pages and items that make up your application from being used in any unintended way. Apex includes a variety of in-built options to allow you to easily protect your pages without any extra work. Remember to come back for the final blog in this series, which will discuss how Apex can be easily configured to prevent SQL injection and cross site scripting attacks.
Author: Craig Sykes
Job Title: Senior Oracle Development Consultant
Bio: Craig is a Senior Development Consultant at DSP-Explorer. Craig has an MSc in Computing Science and is an experienced software engineer, utilising development tools such as PL/SQL and APEX to provide bespoke ERP software to both UK and international businesses. Craig has experience developing solutions to connect Oracle systems to a wide range of existing external applications within business environments.
.png?width=250&name=stonewater-logo%20(1).png)
