Skip to topic | Skip to bottom
Home
You are here: TWiki > Apex Web > SecurityCategory > XssExamples r12 - 03 Jul 2007 - 14:50 - PeterLorenzen


Start of topic | Skip to actions

Cross-site scripting (XSS)

XSS can mean a lot of different things, but a simple definition can is that an attacker inserts JavaScript in an application and when another user uses the application this code is execute in that users browser. The script code can steal data or corrupt the application. For a thorough explanation of the different types of XSS check here.

Simple Report Example

Here is a simple example of XSS in APEX 3.0:

  1. Create a simple table that contains a VARCHAR2 column and a sequence. Something like this:
    
          create table security_test
          (
              id  number            not null, 
              txt varchar2(4000), 
              constraint security_test_pk primary key (id)
          );
    
          create sequence sec_seq;
       
  2. Create a Form on the table of type “Form on a Table with Report”
  3. Run the Report and create a row. In the input field put:
    
          Test<script>alert('Hello world');</script>
       
When you press Create and branch back to the Report the JavaScript is executed and you should see an alert message.
xss01.JPG

This way one user can write a malicious JavaScript that is executed when another user displays the Report page.

To prevent this change Display as from "Standard Report Column" to "Display as text (escape special characters, does not save state)":

  1. In the Region definition press the Report link
  2. Press the edit button in front of the txt column
  3. Change Display as in the Tabular Form Element block

Now the JavaScript is not executed. The reason is that special characters like <,>,&," now are escaped. If you look on the page source it looks like this:


      Test&lt;script&gt;alert('Hello world');&lt;/script&gt;


xss02.JPG

Report columns with display as the below are also vulnerable to XXS attacks. But since they are used with LOVs it should not be such a big problem.

  • Display as Text (based on LOV, does not save state)
  • Select List (static LOV)

To read more about XSS check Managing Application Security in the User’s Guide.

PL/SQL Dynamic Content Example

Here is another simple example of XSS:

  1. Create a region on your report page of type PL/SQL Dynamic Content
  2. Paste this code into the PL/SQL Source:

      <<myLoop>>
      for sec_rec in (select txt
                        from security_test
                     )
      loop
        htp.p('Txt : '||sec_rec.txt);
        htp.br;
      end loop myLoop;                  
   

When you run the Report the alert will be shown for the new region also.

To prevent this change your code to this:


      <<myLoop>>
      for sec_rec in (select txt
                        from security_test
                     )
      loop
        htp.p('Txt : '||htf.escape_sc(sec_rec.txt));
        htp.br;
      end loop myLoop;                  
   

Here htf.escape_sc saves us.

Convert Select List to Text Input example

Here is example of XSS combined with converting a Select list to an text input field.

For this example you need Firefox with the Web Developer Extension.

There is a Developer Toolbar for IE too but it does not have the option we are using here.

  1. Create a simple table and a sequence. Something like this:
    
          create table security_test
          (
              id  number            not null, 
              txt varchar2(4000), 
              constraint security_test_pk primary key (id)
          );
    
          create sequence sec_seq;
       
  2. Create a Form on the table of type “Form on a Table with Report”
  3. On the Form page change the Display as to Select List and paste this into the List of values definition:
    
          STATIC2:Apple;A,Bee;B,Cinnamon;C 
       
  4. Run the report and navigate to the form via either create or edit.
  5. In the Web Developer menu choose Forms and then Convert Select Elements To text input.
  6. Now write what you want in the field for example Test<script>alert('Hello mad world');</script>

xss03.JPG
xss04.JPG
So select lists, Radiogroup etc. will not save you. Also hidden or disabled fields can be manipulated in this way.

To prevent somebody from posting invalid data in your select lists you can use a Check constraint on the table like this:


      alter table security_test add constraint chk_txt check (txt in ('A','B','C'));
   
It can also be prevented by doing the check in a database trigger or in an APEX page validation process.

I am a firm believer in that constraints and rules should be put as close to the data as possible, e.g. in the database. That way you only have to write your logic once and not in every application that uses your data.

QA Script

As we have seen reports with display as "Standard Report Column" is open for XXS attacks. This script will identify any report column of this type:


      select application_id,
             application_name,
             page_id,
             region_name,
             column_alias
        from apex_application_page_rpt_cols
       where display_as ='Standard Report Column'
         and workspace !='INTERNAL'
       order by application_id,
                application_name,
                page_id;

If you have a lot of report columns with display as "Standard Report Column" it can take some work to change them all to "Display as Text (escape special characters, does not save state)". An easy way to this is by exporting the application to file and then do a search and replace in the file and then import the file. You need to replace all WITHOUT_MODIFICATION with ESCAPE_SC.

Additional Information

  • For more XSS examples check this site



Author: PeterLorenzen - 25 Apr 2007

Comments

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r12 < r11 < r10 < r9 < r8 | More topic actions
This site is powered by the TWiki collaboration platformCopyright © 1999-2014 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback