APEX Security - Preventing unauthorized access to your data Recx APEXConnect2015 [email protected] Preventingunauthorizedaccesstoyourdata Recx and APEX Security APEXSecurityConsultancyforUKGov. since2009. DevelopingApexSecproductsince2010. ContinualAPEXSecurityResearch(platform,samples,public applications). PresentingatvariousOUGconferencesinUKsince2012. Published"Hands-OnOracleApplicationExpressSecurity: BuildingSecureAPEXApplications"in2013. PresentedatODTUGKScope13inNewOrleans. PresentedatAPEXForuminVienna,2014. SponsoredAPEXWorldinNetherlands,2014. PresentedatODTUGKScope14inSeattle. [email protected] Preventingunauthorizedaccesstoyourdata Recx and APEX Vulnerabilities SQLInjection-wwv_flow_utilities.gen_popup_list (APEX<3.2.1,CVE-2010-0892). SQLInjection-ApplicationBuilder4000, (APEX<4.1,CVE-2011-3525). Cross-SiteScripting-Doubletagging (APEX<4.1.1,CVE-2012-1708). ItemProtection-Bypassvulnerability (APEX<4.2.1,CVE-2013-1519). ORDSURLRestrictionBypass (ORDS<2.0.8). SQLWorkshopPrivilegeEscalation (APEX<4.2.6,CVE-2014-6483). "WewouldliketorecogniseandthankRecxLtd. fortheuseoftheir ApexSecanalysisengine,whichhasbeenusedtoimprovethe securityofOracleApplicationExpress..."-Oracle [email protected] Preventingunauthorizedaccesstoyourdata Access-Control Inthissessionwearegoingtolookataccess-control-thisterm coversthefollowingareaswithinAPEXapplications: Apache/ORDS Authentication Authorisation ItemProtection [email protected] Preventingunauthorizedaccesstoyourdata Web Server & ORDS EnableSSLandonlyallowHTTPSconnections. Stripdowntheweb/applicationservers: Removefeatures,legacycontent,defaultfiles,admininterfaces... WebserverURLrestrictions: Allowonly/i/and/ords/,considermod_rewrite ORDSconfiguration: DefineinclusionList: f,p,z,wwv_*,apex* Databaseschemapermissions: ProcedureswithEXECUTEgrantedtoPUBLICcanbeaccessedvia thebrowser. [email protected] Preventingunauthorizedaccesstoyourdata Authentication DefineanAuthenticationScheme: ApplicationExpressAccounts-Usedforsmallerapplications andduringdevelopment. Custom-Mostcommon;ensurecodeisreviewed,operatesas expected,anditemsareprotected. LDAPDirectory-Widelyused,setUsernameEscapingto Standard. HTTPHeaderVariable-UsedinsomeSSOsolutions;prevent directHTTPaccess(spoofheader). OracleApplicationServerSingleSign-On-Neverobserved. Notrecommended: DatabaseAccounts NoAuthentication OpenDoorCredentials [email protected] Preventingunauthorizedaccesstoyourdata Authentication Anycustomauthenticationschemeshouldconsider: Accountsignupandactivation-whereanapplicationallows userstosignuptheiridentifyshouldbeverified,forexampleby sendinganactivationlinktotheiremailaddress. Accountlockout-anaccountshouldbetemporarilydisabled aftersuccessiveattemptstoauthenticationwithanincorrect password. [email protected] Preventingunauthorizedaccesstoyourdata Authentication Anycustomauthenticationschemeshouldconsider: Passwordstorage-ensureuserpasswordsarestoredusinga strongcryptographichashingalgorithm,saltedwitha user-specificvalue. Passwordcomplexity-dependingonthesensitivityofdata withintheapplicationandtheprivilegesoftheaccount,users mustbeforcedtochoosesuitablycomplexpasswords. Passwordage-usersshouldchangetheirpasswordsregularly. Passwordreset-whenusersforgettheirpasswords,anyreset mechanismmustverifytheiridentity(secretquestions,emaila resetlink). Considertwo-factorauthenticationforsensitiveapplicationsor transactions(token,SMS) [email protected] Preventingunauthorizedaccesstoyourdata Passwords Source: http://xkcd.com/936/ [email protected] Preventingunauthorizedaccesstoyourdata Authorisation ApplyauthorisationtoAPEXcomponentstoprovideRoleBased AccessControl. APEXpagesthatarenotlinkedtocanstillbeaccessed (sequentialURLpagenumbering). Watchoutforinconsistenciessuchasauthorisationschemes appliedtobuttonsandtheirassociatedprocesses. Authorisationinconsistencydemonstration... [email protected] Preventingunauthorizedaccesstoyourdata