Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

5 Security & 5 Performance techniques for Oracle APEX projects

AUSOUG November 2014
by

Scott Wesley

on 20 November 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of 5 Security & 5 Performance techniques for Oracle APEX projects

Scott Wesley
5 Security & 5 Performance
Techniques for APEX projects
@swesley_perth
www.packtpub.com/content/oracle-apex-techniques/video
http://hyperphysics.phy-astr.gsu.edu/hbase/acloc.html
9,192, 631,770 times
1 / 10,000,000
Defence in Depth
Sum (1%ers)
XSS Attack
Buffer Overflow
Performance
Security
Post Authentication
Application Sharing
Features by Role
URL Tampering
XSS
Conditions
PL/SQL Packages
Menus
Plug-in Patterns
CSS
DDoS
SQL Injection
Onions have layers
Ogres have layers
Security has layers
Bind Variables
#APEX5
select round(avg(
execution_time
),5)
avg_time
,
message

from
apex_debug_messages

where
message
like
'%sparkline%'
group by
message
;
* 50 = 1.5s
Any condition, anywhere
Named Column (Row Template)
Alternative?
Dynamic PL/SQL Region
htp.tableopen()
...
if r_rec.some_value < 0.2 then
htp.tabledata()
else
...

Go declarative
Plugins out-of-box
Plug-ins tweaked
AJAX Callbacks
Page Processes
Dynamic Actions
Computations
Dynamic PL/SQL Regions
Plug-ins
Applicable to any form of PL/SQL
Encapsulate
Pre-calculate
Every application has one
upgrade from 3.2
Tabsets
Enkitec Plugin
encapsulate pl/sql
Multiple Menu Methods
Static List
declarative conditions
Dynamic List
consider materialised view
especially if using apex_ views
consider security clause
exists (app/page/role)
and is rendered on every page
that has a notification event
means rendering the same thing many times
For every Dynamic Action
Event: Change
Item: P0_SIGNAL
One render of plug-in, used many times
Re-use
Not all performance gains come from the database
#id vs .class -> comparable to indexes
Binary vs Sprite vs Data URI
SQL Reports - build more into HTML to save AJAX
Images
data-attribute
jQuery
Selectors
Client CPU
On New Instance (New Session)
Post-Authentication
https://apex.oracle.com/pls/apex/f?p=73000:6:25081683920960::NO::P6_EMPNO:3
CRM
https://apex.oracle.com/pls/apex/f?p=73000
probably what you're after
unlikely what you're looking for
... but we all try at least once
t
Bookings
Menu App
:APP_USER = 'nobody'
:APP_USER = 'SWESLEY'
http://www.grassroots-oracle.com/2014/04/shared-authentication-across-multiple-apex-apps.html
http://www.grassroots-oracle.com/2013/05/performance-of-apex-conditions.html
http://www.grassroots-oracle.com/2013/05/css-pull-down-menu-using-apex-list.html
http://www.artzstudio.com/2009/04/jquery-performance-rules/
http://www.ebaytechblog.com/2011/07/12/data-uri-sprites/#.VC1I1WCSzCJ
http://www.skylinetechnologies.com/Blog/Article/2474/CSS-Images-Sprites-vs-Data-URIs.aspx
http://www.mobify.com/blog/css-sprites-vs-data-uris-which-is-faster-on-mobile/
http://stackoverflow.com/questions/648004/what-is-fastest-children-or-find-in-jquery
http://www.dotnetcurry.com/showarticle.aspx?ID=986
DBMS_ASSERT
APEX_ESCAPE.HTML(column)
sql using 'Standard Report Column'
or HTML Expression
<span title="#TOOLTIP#">#ITEM#</span>
apex_item.text(2,ename)
writing dynamic sql
l_sql := 'SELECT description FROM open_tab WHERE code = ' ||
SYS.DBMS_ASSERT.ENQUOTE_LITERAL(p_code);
garbage
p_code => 'ONE'' OR ''1''=''1'
XSS
SQL Injection
JAMES&lt;!--5
JAMES<!--5
jsPerf.com
alert("You entered &P1_TEXT
!JS
");
sys.htp.script
('alert("You entered"+'
||apex_escape.js_literal(l_string) || ');'
);
#APEX5
literals in JavaScript
http://roelhartman.blogspot.nl/2014/09/apex-5-new-substitution-syntax-features.html
doesn't need to be malicious to break your application
ugh
http://www.scmagazine.com/ebay-subdomains-vulnerable-to-xss-attacks-researchers-find/article/348687/
http://threatpost.com/paypal-site-vulnerable-to-xss-attack/100787
http://www.theguardian.com/technology/2014/jun/11/twitter-tweetdeck-xss-flaw-users-vulnerable
https://twitter.com/MattRosoff/status/476766506525945856
http://b.fl7.de/2014/09/amazon-stored-xss-book-metadata.html
PayPal
eBay
TweetDeck
Amazon
XSS news in 2014
http://news.softpedia.com/news/Citigroup-Hackers-Used-URL-Manipulation-to-Extract-Data-206356.shtml
http://roelhartman.blogspot.nl/2014/08/apex-5-new-column-link-features.html
#APEX5
Declaratively link between apps
Access data not allowed
Access pages not allowed
Don't just secure menu
Application Process - all pages
Page Attributes
Session State Protection
Can impact jQuery
- updating protected items
Consider VPD
#APEX5
'After Authentication'
"The first time your authenticated session is used for an application"
Re-use your own wheel
Low Hanging Fruit
Conditions: Declarative vs Dynamic
Timing is everything
Modularise your applications - but log in once
Users are factories for bad data
Sanitise everything
Even users figure this out
Hacking for dummies
Customise UI
Feature Management
One entry point
Initialise Roles
http://roelhartman.blogspot.nl/2014/09/apex-5-new-authorization-evaluation.html
Page Branch
Any condition -> whatever you want
Redirect if not allowed
so many options
+ links
+ buttons
+ items
+ regions
+ columns
+ rows
+ pages
+ processes
+ dynamic actions
#APEX5
Workspace Authentication Scheme
#APEX5
:APP_COMPONENT_TYPE
:APP_COMPONENT_ID
:APP_COMPONENT_NAME
Authorisation Scheme
apex_util.public_check_authorisation
('developer_scheme')
'Y' IN (:F_IS_DEVELOPER, :F_IS_DBA)
#APEX5
'On Load: Before Header'
Authorisation Scheme
-> Error page
Conditions
Declarative but mutually exclusive
Extremely flexible
PL/SQL Expression on Application Items
EXISTS
(select null
from apex_collections
where collection_name = 'AUTH_SCHEMES'
and c001 = 'ROLE_DEVELOPER')
(primed in Post Authentication)
Developer
DBA
{Not Developer}
{Not DBA}
to Authentication Scheme
apex_util.current_user_in_group
('dba_group')
to User Groups
Populate Collection
-- Populate custom authorisation (application items, collection)
Process point
Process point
Component Level Security
1 metre
PL/SQL
component re-use patterns
nobugsonlyfeatures
*********************************************
details to come with release of documentation?
Authorisation Schemes
Conditions
APIs
Logic
Build into SQL
And what's wrong with this?
That's better
http://jeffkemponoracle.com/2014/10/09/submit-from-jquery-modal-causing-session-state-protection-violation/
cross-site scripting
on new instance
imitates post-authentication
(<= 4.2)
#APEX5
f?p=LOGIN
User interface -> Login URL
App Alias : LOGIN
Full transcript