Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Prezi logo
Log in
Loading…

5 Security & 5 Performance techniques for Oracle APEX projects

SW

Scott Wesley

Transcript

#APEX5

5 Security & 5 Performance

Techniques for APEX projects

Scott Wesley

@swesley_perth

www.packtpub.com/content/oracle-apex-techniques/video

9,192, 631,770 times

http://hyperphysics.phy-astr.gsu.edu/hbase/acloc.html

1 metre

Security has layers

Conditions: Declarative vs Dynamic

Named Column (Row Template)

Any condition, anywhere

Timing is everything

Process point

https://apex.oracle.com/pls/apex/f?p=73000

Sum (1%ers)

t

* 50 = 1.5s

Alternative?

Dynamic PL/SQL Region

htp.tableopen()

...

if r_rec.some_value < 0.2 then

htp.tabledata()

else

...

Performance

Security

http://www.grassroots-oracle.com/2013/05/performance-of-apex-conditions.html

Process point

#APEX5

'After Authentication'

"The first time your authenticated session is used for an application"

Low Hanging Fruit

PL/SQL

Applicable to any form of PL/SQL

Plugins out-of-box

Modularise your applications - but log in once

Plug-ins tweaked

Menu App

Conditions

Post Authentication

App Alias : LOGIN

User interface -> Login URL

f?p=LOGIN

http://www.grassroots-oracle.com/2014/04/shared-authentication-across-multiple-apex-apps.html

select round(avg(execution_time),5) avg_time

,message

from apex_debug_messages

where message like '%sparkline%'

group by message;

CRM

Bookings

on new instance

imitates post-authentication

(<= 4.2)

PL/SQL Packages

Application Sharing

#APEX5

Declaratively link between apps

http://roelhartman.blogspot.nl/2014/08/apex-5-new-column-link-features.html

#APEX5

Workspace Authentication Scheme

details to come with release of documentation?

Multiple Menu Methods

Every application has one

Feature Management

upgrade from 3.2

Menus

Features by Role

so many options

encapsulate pl/sql

Authorisation Schemes

declarative conditions

+ links

+ buttons

+ items

+ regions

+ columns

+ rows

+ pages

+ processes

+ dynamic actions

Conditions

consider materialised view

especially if using apex_ views

and is rendered on every page

consider security clause

Plug-in Patterns

URL Tampering

exists (app/page/role)

http://www.grassroots-oracle.com/2013/05/css-pull-down-menu-using-apex-list.html

Conditions

Extremely flexible

Re-use your own wheel

component re-use patterns

For every Dynamic Action

CSS

XSS

that has a notification event

means rendering the same thing many times

Event: Change

Item: P0_SIGNAL

Users are factories for bad data

One render of plug-in, used many times

Not all performance gains come from the database

JAMES&lt;!--5

JAMES<!--5

p_code => 'ONE'' OR ''1''=''1'

Even users figure this out

Selectors

SQL Injection

doesn't need to be malicious to break your application

XSS

Access pages not allowed

garbage

writing dynamic sql

Access data not allowed

#id vs .class -> comparable to indexes

sql using 'Standard Report Column'

http://www.artzstudio.com/2009/04/jquery-performance-rules/

l_sql := 'SELECT description FROM open_tab WHERE code = ' ||

SYS.DBMS_ASSERT.ENQUOTE_LITERAL(p_code);

apex_item.text(2,ename)

https://apex.oracle.com/pls/apex/f?p=73000:6:25081683920960::NO::P6_EMPNO:3

or HTML Expression

DBMS_ASSERT

Images

<span title="#TOOLTIP#">#ITEM#</span>

Don't just secure menu

APEX_ESCAPE.HTML(column)

Binary vs Sprite vs Data URI

literals in JavaScript

jQuery

jsPerf.com

http://www.dotnetcurry.com/showarticle.aspx?ID=986

alert("You entered &P1_TEXT!JS");

http://stackoverflow.com/questions/648004/what-is-fastest-children-or-find-in-jquery

#APEX5

http://roelhartman.blogspot.nl/2014/09/apex-5-new-substitution-syntax-features.html

data-attribute

SQL Reports - build more into HTML to save AJAX

Application Process - all pages

Redirect if not allowed

That's better

http://news.softpedia.com/news/Citigroup-Hackers-Used-URL-Manipulation-to-Extract-Data-206356.shtml

Go declarative

Encapsulate

Pre-calculate

Re-use

Client CPU

DDoS

Buffer Overflow

XSS Attack

SQL Injection

Defence in Depth

Dynamic PL/SQL Regions

Plug-ins

AJAX Callbacks

Computations

Page Processes

Dynamic Actions

Page Branch

Any condition -> whatever you want

'On Load: Before Header'

ugh

sys.htp.script

('alert("You entered"+'

||apex_escape.js_literal(l_string) || ');'

);

And what's wrong with this?

Page Attributes

-> Error page

Authorisation Scheme

#APEX5

On New Instance (New Session)

:APP_USER = 'nobody'

Initialise Roles

One entry point

Customise UI

Hacking for dummies

Sanitise everything

http://www.ebaytechblog.com/2011/07/12/data-uri-sprites/#.VC1I1WCSzCJ

http://www.skylinetechnologies.com/Blog/Article/2474/CSS-Images-Sprites-vs-Data-URIs.aspx

http://www.mobify.com/blog/css-sprites-vs-data-uris-which-is-faster-on-mobile/

Tabsets

Enkitec Plugin

Static List

Dynamic List

1 / 10,000,000

Post-Authentication

:APP_USER = 'SWESLEY'

XSS news in 2014

eBay

PayPal

http://threatpost.com/paypal-site-vulnerable-to-xss-attack/100787

http://www.scmagazine.com/ebay-subdomains-vulnerable-to-xss-attacks-researchers-find/article/348687/

TweetDeck

Amazon

cross-site scripting

http://www.theguardian.com/technology/2014/jun/11/twitter-tweetdeck-xss-flaw-users-vulnerable

https://twitter.com/MattRosoff/status/476766506525945856

http://b.fl7.de/2014/09/amazon-stored-xss-book-metadata.html

Session State Protection

Can impact jQuery

- updating protected items

http://jeffkemponoracle.com/2014/10/09/submit-from-jquery-modal-causing-session-state-protection-violation/

Build into SQL

Consider VPD

#APEX5

Component Level Security

:APP_COMPONENT_TYPE

:APP_COMPONENT_ID

:APP_COMPONENT_NAME

http://roelhartman.blogspot.nl/2014/09/apex-5-new-authorization-evaluation.html

Authorisation Scheme

Declarative but mutually exclusive

Developer

DBA

{Not Developer}

{Not DBA}

Bind Variables

Logic

(primed in Post Authentication)

PL/SQL Expression on Application Items

'Y' IN (:F_IS_DEVELOPER, :F_IS_DBA)

Populate Collection

EXISTS

(select null

from apex_collections

where collection_name = 'AUTH_SCHEMES'

and c001 = 'ROLE_DEVELOPER')

unlikely what you're looking for

... but we all try at least once

nobugsonlyfeatures

*********************************************

Onions have layers

Ogres have layers

APIs

to Authentication Scheme

apex_util.public_check_authorisation

('developer_scheme')

to User Groups

apex_util.current_user_in_group

('dba_group')

probably what you're after

-- Populate custom authorisation (application items, collection)

Choose a template

Hiking Journey (AI Assisted)

Elevate your presentations with our immersive Hiking Journey Prezi AI-assisted presentation template, meticulously crafted to showcase the beauty of your adventures, from scenic trails to breathtaking landscapes, providing a visually compelling experience for every outdoor enthusiast.

Data Analysis (AI Assisted)

Transform data into insights with our Data Analysis Prezi AI-assisted presentation template, strategically designed to visually convey complex information, enabling impactful presentations that drive informed decision-making.

Colorful Nature - Dark (AI Assisted)

A whimsical flower motif sets the fun tone for this Prezi AI-assisted presentation template. Just add your own text, images, videos, or other content to create a memorable and engaging presentation your audience will love. Like all Prezi templates, it’s easily customizable.

Presentations from around the world
Learn more about creating dynamic, engaging presentations with Prezi
Why Prezi is better