Friday, 4 May 2012

Securing Oracle Apex - Plugin 'HTML Markup for APEX Tree'

It is always sad to find security problems in other peoples hard work, but we should all be aware of the risks in using a particular plugin so that it can be used efficiently and securely.

We were asked about the usage of this plugin recently: HTML Markup for APEX Tree so we decided to take a look.
This plugin enables HTML Markup within an APEX Tree Region which normally escapes all HTML Special characters. The idea is to use replacement characters for "<", ">" and "&" in the Tree SQL query and to configure these in the plugin. The plugin fires as a dynamic action after page load and uses some jQuery logic to activate the HTML markup by changing the replacement characters back to HTML syntax.
This appears to be very dangerous and indeed it is, by subverting the built-in protections of Apex this plugin significantly reduces the security of the APEX tree region. The example code contains the following.

case
when sal < 2500 then '[b style="color: green"]'||"ENAME"||'[/b] [img src="/i/Fndokay1.gif" height="12"]'
when sal < 4500 then '[b style="color: black"]'||"ENAME"||'[/b]'
else '[b style="color: red"]'||"ENAME"||'[/b]'
end as title,

As the javascript in the plugin replaces all '[' characters with '<' and all ']' characters with '>' then writing a Cross-Site scripting attack is done by replacing those characters in the payload. Simply by setting ENAME in the database with something like;

[script]alert('java')[/script]

Will result in the proof that code is being executed in the browser. If you absolutely must use this plugin then the data appearing in the tree must not be modifiable by any client side requests. 
ApexSec 2.2 has been updated with the check for this plugin.

2 comments:

  1. Sounds a bit condescending. What is so sad about it? One should simply know the consequences of one's actions. There are lots of cases where the name/title of the tree node is not subject to end user manipulation and is therefore NOT insecure.

    Regards, Garry Lawton

    ReplyDelete
  2. Garry,
    Sad, only in the sense that it takes much longer to create something than it takes to come along and highlight "security issues". You are correct and indeed the author has now included the relevant documentation to the plugin to avoid confusion. It is difficult and time-consuming to "simply know" the (security) consequences of Apex code which is why we spend a lot of time finding security issues in Apex code for our clients.

    ReplyDelete