Apps To Fusion

.......contents copyright protected by FocusThread UK Ltd

 
  • Increase font size
  • Default font size
  • Decrease font size
We are glad to announce the launch of Forum for Customizations and Extensions. Click here to visit http://apps2fusion.com/forums
Our OA Framework, BPEL Development & Apps DBA Trainings from USD 299 only [on weekends] . Click here for details.
Also see here fully verifiable feedbacks/testimonials


Prevent URL tampering using APEX Session State Protection

Thursday, 07 May 2009 22:41 Kishore Ryali
 E-mail | Print | PDF 

By now you should be having a fair idea of high usability of Oracle Application Express a.k.a APEX with its easy navigation between pages using column links, branches, breadcrumbs, navigation tabs, etc. For example, in Person Details application you can click on edit icon on a person row which takes you to Edit page for editing and saving that person details. The navigation here is done through column link by setting P4_PERSON_ID page item on Edit page (4) with Person_Id column value. If you observe closely parameters appear on URL string, it looks similar to

http://apex.oracle.com/pls/otn/f?p=62577:4:7632245014057279::NO::P4_PERSON_ID:241

where 7632245014057279 is my session id, P4_PERSON_ID is page item and 241 is page item value.

 


If proper security is not enforced in preventing in URL tampering, user can change the parameter in URL say change Person Id value to 242 in above example, and get that person details. It wouldn't seem as a bigger problem if all the users have same access to information.

Consider this scenario I implemented in Authorization article, A2F_USER cannot edit/delete/create persons. When A2F_USER logins into Person Details application, he/she would not see edit/delete icons and create button as shown below.



Somehow if A2F_USER cleverly understood how APEX URL is constructed, he/she can add Edit page number (4), P4_PERSON_ID, its value keeping same session id and retrieve that person details. Though I used Authorization scheme to restrict A2F_USER from editing, he/she found out a way to edit by tampering the URL like this

http://apex.oracle.com/pls/otn/f?p=62577:4:2506025988561918::NO::P4_PERSON_ID:241

where 2506025988561918 is session id of A2F_USER. Using above URL, he/she can go to edit page as shown below.

 

 

How to prevent URL tampering in APEX?
APEX has another built-in security feature called Session State Protection. This prevents users from tampering URL in your application. URL tampering can adversely affect program logic, session state contents, and information privacy.

You can enable Session State Protection for entire application or page or page item. Once it is enabled, APEX engine adds checksums in generated f?p= URLs. When user modifies the URL and submits it, checksums are computed again. As they differ from earlier checksums, error message is thrown and user is prevented from viewing information in the page.


How to enable Session State Protection?
Enabling Session Protection Protection is a two-step process. First, you enable the feature.
Second, you set page and item security attributes. You can enable Session State Protection from Session State Protection or Edit Security Attributes sections under Shared Components.

Steps to implement Session State Protection for Person Details application are:

  • Go to Shared Components > Session State Protection (Security section). Current Session State Protection status is shown.

Though status is already Enabled, it did not work in first place as it is not assigned to page or page items.

  • You can click on Page / Item / Application Item, to assign session state protection. For our scenario, click on page. Select Page 4 and select Page Access Protection as 'Arguments Must Have Checksum'. Apply Changes.

You can also configure protection at item level.

Session State Protection is implemented for Edit page (4). Now if A2F_USER modifies the URL, he/she will see below message.

See for yourself what happens when you login to Person Details application as A2F_ADMIN, click on edit icon to navigate to Edit page, modify Person_Id in the URL and hit Enter.

URL for the application:

My application can be accessed using the url http://apex.oracle.com/pls/otn/f?p=62577:1

Packaged Application:

My Packaged applications are created using APEX 3.2 version, you can only import them into APEX with same version. This packaged application has supporting objects i.e. table and sample data, along with apex application. You can import and run it without going through the above steps.

Download Packaged Application

Video for deploying packaged application (2:41 min). This video is applicable for deploying packaged applications for my next articles as well.

The zip file has sql files for application (apex_tut03_app.sql) and image (apex_tut03_img.sql).

You will learn more APEX 3.2 security features like hiding parameters on URL, etc. in coming articles.

 

Comments (0)add
Write comment
quote
bold
italicize
underline
strike
url
image
quote
quote
smile
wink
laugh
grin
angry
sad
shocked
cool
tongue
kiss
cry
smaller | bigger

security image
Write the displayed characters


busy