<Insert Picture Here> Oracle Application Express 4.0 - It s all about Plug-Ins!

Similar documents
Webapps Vulnerability Report

Web Application Security

DIPLOMA IN WEBDEVELOPMENT

SQL INJECTION IN MYSQL

WebCruiser Web Vulnerability Scanner Test Report. Input Vector Test Cases Cases Count Report Pass Rate. Erroneous 200 Responses %

WebCruiser Web Vulnerability Scanner User Guide

Security features of ZK Framework

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

WEB DEVELOPMENT COURSE (PHP/ MYSQL)

Outline. Lecture 18: Ruby on Rails MVC. Introduction to Rails

Progressive Enhancement With GQuery and GWT. Ray Cromwell

External Network & Web Application Assessment. For The XXX Group LLC October 2012

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Advanced Web Development SCOPE OF WEB DEVELOPMENT INDUSTRY

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

<Insert Picture Here> Oracle Application Express 4.0

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Oracle Database 10g Express

Thomas Röthlisberger IT Security Analyst

Adding 3rd-Party Visualizations to OBIEE Kevin McGinley

J j enterpririse. Oracle Application Express 3. Develop Native Oracle database-centric web applications quickly and easily with Oracle APEX

5 Simple Steps to Secure Database Development

Still Aren't Doing. Frank Kim

Fast track to HTML & CSS 101 (Web Design)

The maturity level of APEX. Patrick Hellemans Competence Manager Technology

<Insert Picture Here>

Developing ASP.NET MVC 4 Web Applications MOC 20486

Top 10 Oracle SQL Developer Tips and Tricks

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Protection, Usability and Improvements in Reflected XSS Filters

601/8498/X IAO Level 3 Certificate in Web Design and Development (RQF)

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Expanded contents. Section 1. Chapter 2. The essence off ASP.NET web programming. An introduction to ASP.NET web programming

Programming Fundamentals of Web Applications Course 10958A; 5 Days

Statement and Confirmation of Own Work

Crystal Print Control Installation Instructions for PCs running Microsoft Windows XP and using the Internet Explorer browser

Introduction to Ingeniux Forms Builder. 90 minute Course CMSFB-V6 P

Network Security Testing using MMT: A case study in IDOLE project

Web-Application Security

Application Code Development Standards

Agile Web Application Testing

Developing ASP.NET MVC 4 Web Applications

Detection of SQL Injection and XSS Vulnerability in Web Application

Check list for web developers

Software Design Specification

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Sage CRM Version 7.0 Patch Release Notes

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team

Revisiting SQL Injection Will we ever get it right? Michael Sutton, Security Evangelist

Developing Offline Web Application

Application security testing: Protecting your application and data

Rapid Application Development of Oracle Web Systems

An introduction to creating Web 2.0 applications in Rational Application Developer Version 8.0

Using the VMRC Plug-In: Startup, Invoking Methods, and Shutdown on page 4

Hack Proof Your Webapps

Certified PHP/MySQL Web Developer Course

6.2 Reporting BIPublisher Improvements

SQL Injection and XSS

California State University Polytechnic University. CIS 311 Interactive Web Development. Fall 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Oracle Audit Vault and Database Firewall

Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Oracle Identity Analytics Architecture. An Oracle White Paper July 2010

CSCI110: Examination information.

Developing ASP.NET MVC 4 Web Applications Course 20486A; 5 Days, Instructor-led

Client-side Web Engineering From HTML to AJAX

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

(WAPT) Web Application Penetration Testing

How To Write A Web Application Vulnerability Scanner And Security Auditor

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

FileMaker 13. WebDirect Guide

CSCI110 Exercise 4: Database - MySQL

Developers Guide. Designs and Layouts HOW TO IMPLEMENT WEBSITE DESIGNS IN DYNAMICWEB. Version: English

HtmlUnit: An Efficient Approach to Testing Web Applications

GRAPHIC DESIGNER. 2. Creates digital motion graphics work using a variety of software such as Flash.

Framework as a master tool in modern web development

In This Lecture. Security and Integrity. Database Security. DBMS Security Support. Privileges in SQL. Permissions and Privilege.

At the end of this lesson, you will be able to create a Request Set to run all of your monthly statements and detail reports at one time.

Cello How-To Guide. Pickup List Management

Oracle Data Integrator integration with OBIEE

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

What is Web Security? Motivation

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Expert PHP and MySQL. Application Desscpi and Development. Apress" Marc Rochkind

Migrate your Discover Reports to Oracle APEX

5 Mistakes to Avoid on Your Drupal Website

Referencing Web links in the Survey Workbench Questionnaire

WebCruiser Web Vulnerability Scanner User Guide

ACKNOWLEDGMENT. I would like to thank Allah for giving me the patience to work hard and overcome all the

Hacking de aplicaciones Web

ERIE COMMUNITY COLLEGE COURSE OUTLINE A. COURSE TITLE: CS WEB DEVELOPMENT AND PROGRAMMING FUNDAMENTALS

Transcription:

<Insert Picture Here> Oracle Application Express 4.0 - It s all about Plug-Ins! Patrick Wolf Principal Member of Technical Staff - Database Tools

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. 3

www.oracleapex.info twitter.com/patrickwolf

Plug-ins

Using Plug-ins

D E M O N S T R A T I O N Using Plug-ins

Development

Architecture

Callbacks - Rendering function render_item_type ( p_item in apex_plugin.t_page_item, p_plugin in apex_plugin.t_plugin, p_value in varchar2, p_is_readonly in boolean, p_is_printer_friendly in boolean ) return apex_plugin.t_page_item_render_result

Callbacks - Validation function validate_item_type ( p_item in apex_plugin.t_page_item, p_plugin in apex_plugin.t_plugin, p_value in varchar2 ) return apex_plugin.t_page_item_validation_result

Callbacks - AJAX function validate_item_type ( p_item in apex_plugin.t_page_item, p_plugin in apex_plugin.t_plugin ) return apex_plugin.t_page_item_ajax_result

Interface Record Types type t_page_item is record ( id number, name varchar2(255), label varchar2(4000), format_mask varchar2(255), is_required boolean, standard_validations varchar2(20), lov_definition varchar2(4000), lov_display_extra boolean, lov_display_null boolean, lov_null_text varchar2(255), lov_null_value varchar2(255), lov_query_result_translated boolean, lov_cascade_parent_items varchar2(255), ajax_items_to_submit varchar2(255), ajax_optimize_refresh boolean,...

Interface Record Types... element_width number, element_max_length number, element_height number, element_attributes varchar2(2000), element_option_attributes varchar2(4000), escape_output boolean, attribute_01 varchar2(32767), attribute_02 varchar2(32767), attribute_03 varchar2(32767), attribute_04 varchar2(32767), attribute_05 varchar2(32767), attribute_06 varchar2(32767), attribute_07 varchar2(32767), attribute_08 varchar2(32767), attribute_09 varchar2(32767), attribute_10 varchar2(32767) );

Interface Record Types type t_plugin is record ( name varchar2(45), file_prefix varchar2(4000), attribute_01 varchar2(32767), attribute_02 varchar2(32767), attribute_03 varchar2(32767), attribute_04 varchar2(32767), attribute_05 varchar2(32767), attribute_06 varchar2(32767), attribute_07 varchar2(32767), attribute_08 varchar2(32767), attribute_09 varchar2(32767), attribute_10 varchar2(32767) );

Interface Record Types type t_page_item_render_result is record ( is_navigable boolean default false, navigable_dom_id varchar2(255) /* should only be set if navigable element is not equal to item name */ );

Interface Record Types type t_page_item_validation_result is record ( message varchar2(32767), display_location varchar2(40), /* if not set the application default will be used */ page_item_name varchar2(255) ); /* if not set the validated page item name will be used */

Coding

D E M O N S T R A T I O N Coding a Plug-in

Wrong Tool!

Tool we need!

Package apex_plugin_util apex_javascript apex_css

Security

XSS Attacks

XSS Attacks Attack 1 - Value in database column:

XSS Attacks Attack 1 - Value in database column: This is a <script>alert( XSS Attack );</script> comment with bad code injected

XSS Attacks Attack 1 - Value in database column: This is a <script>alert( XSS Attack );</script> comment with bad code injected

XSS Attacks Attack 1 - Value in database column: This is a <script>alert( XSS Attack );</script> comment with bad code injected Attack 2 - Value submitted - Error page:

XSS Attacks Attack 1 - Value in database column: This is a <script>alert( XSS Attack );</script> comment with bad code injected Attack 2 - Value submitted - Error page: This is a <script>alert( XSS Attack );</script> comment with bad code injected

XSS Attacks Attack 1 - Value in database column: This is a <script>alert( XSS Attack );</script> comment with bad code injected Attack 2 - Value submitted - Error page: This is a <script>alert( XSS Attack );</script> comment with bad code injected Don t trust user data!

XSS Attack Prevention sys.htf.escape_sc(l_data_value) apex_plugin_util.escape ( p_value => l_data_value, p_escape => p_item.escape_output );

SQL Injection

SQL Injection Don t trust user data!

Data from Browser

Data from Browser Don t trust!

Check List

Check List Test with multiple instances!

Check List Test with multiple instances! Avoid inline JavaScript and CSS

Check List Test with multiple instances! Avoid inline JavaScript and CSS Read Only and Printer Friendly Mode

Check List Test with multiple instances! Avoid inline JavaScript and CSS Read Only and Printer Friendly Mode Secure? XSS & Data Validation

Check List Test with multiple instances! Avoid inline JavaScript and CSS Read Only and Printer Friendly Mode Secure? XSS & Data Validation AJAX - Don t leak internal data

Check List Test with multiple instances! Avoid inline JavaScript and CSS Read Only and Printer Friendly Mode Secure? XSS & Data Validation AJAX - Don t leak internal data Help Text for Plug-In and Attributes!

Check List Test with multiple instances! Avoid inline JavaScript and CSS Read Only and Printer Friendly Mode Secure? XSS & Data Validation AJAX - Don t leak internal data Help Text for Plug-In and Attributes! Translateable

Check List Test with multiple instances! Avoid inline JavaScript and CSS Read Only and Printer Friendly Mode Secure? XSS & Data Validation AJAX - Don t leak internal data Help Text for Plug-In and Attributes! Translateable Accessibility

Check List Test with multiple instances! Avoid inline JavaScript and CSS Read Only and Printer Friendly Mode Secure? XSS & Data Validation AJAX - Don t leak internal data Help Text for Plug-In and Attributes! Translateable Accessibility License Information

Sharing

Q & A

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information