Thursday, 18 July 2013

Oracle APEX - XSS in JavaScript column link URL

The more security conscious of you may have noticed, or may be interested to know, that there is a cross site scripting vulnerability in the column link URL when using JavaScript. This is regularly flagged in our ApexSec security scanner. In this post we will use an application with JQuery's modal dialog to illustrate this common vulnerability and its simple solution. - Check out our previous post on how to have page access protection for pages inside modal windows.

This type of problem has been mitigated in APEX 4.2.2, if the URL field of your link column starts with 'javascript:', APEX will JavaScript escape the template variables before replacing them within the JavaScript block. This is a security upgrade intended to remove the risk of this type of Cross Site Scripting (XSS) attack.

This vulnerability is with the second parameter of the modal window call (in this case the #ENAME# template variable). Modal dialogs are a common feature within any application and they allow you to give the dialog a dynamic title to enhance the User Experience (UX).

In our example, the title of the modal window opened when the edit link in the report is clicked is defined by the 'ENAME' column. So if you click to edit the employee named 'blake' then the title of the window is 'blake'. Here you can see the difference between the JavaScript in the previous blog post and the Javascript necessary to have a dynamic title in the modal window:

       Comparison of the JavaScript used in our previous blog post and the JavaScript required for a dynamic title.

We have added a second parameter called 'title' to our mymodal function. The title is no longer being defined literally as “Some title” and is now defined by the parameter variable 'title'.

Now navigate to the URL field in the link column section of the report attributes and use the template variable #ENAME# to pass the value from the ENAME column into the title parameter of the 'mymodal' function..

Whenever an edit link is clicked, the title of the modal window is set to the value of the “ENAME” column for that row in the report.

The vulnerability occurs because the template variable is only HTML escaped. This leads to an injection attack within this function call. Because the template variable occurs within a JavaScript block you can pass any text you like into the title, including JavaScript and you are therefore vulnerable to a XSS attack;

If you are using a version of APEX less than 4.2.2, your first course of action should be to ensure that the URL field for your link column is not passing a potentially malicious title to the modal window function. Our method of doing this is to create a new column in the query for your report with the following PL/SQL:

This JavaScript escapes the values in the column “ENAME” and then names this new column “ENAME_JS”. You can go ahead and make this column "HIDDEN" in order to maintain a user friendly report. Now in the URL field for the link column your second parameter should be changed from “ENAME” to “ENAME_JS”. This ensures the values being passed into your modal window function are JavaScript escaped.

In our next post we will discuss a known bug in the JQuery version that is shipped with APEX 4.2.2, as it causes another cross site scripting vulnerability in this example application that also must be fixed in order to fully erradicate the threat of XSS.

Click here to download the application used in this example.

No comments:

Post a Comment