Monday, November 19, 2012

Session State Protection in Detail

Session State Protection (SSP) can be confusing for new APEX developers and also difficult for senior APEX developers trying to explain it. This article will cover SSP in detail.

What is SSP? 

SSP is used to prevent URL tampering. URL tampering is when a malicious user modifies URL parameters to access data that they may not have access to. For example if you have a Master Detail setup for the EMP table (i.e a report with edit links to a form) each link will look something like this: http://fcapex42.clarifit.com:8894/apex/f?p=211:11:14916146169058::::P11_EMPNO:7698. If you restricted the report to employees in your current department you can easily change the EMPNO id and change it to another employee in another department. Even though the intention of the application was to “restrict” users to only edit people within their own department a malicious or curious user could start editing all the employees.

SSP prevents URL tampering by applying a checksum to the end of the URL. The new URL looks something like: http://fcapex42.clarifit.com:8894/apex/f?p=211:11:14916146169058::::P11_EMPNO:7698&cs=3358AAB32787C2A2B294CE934D50FD0C3. If a user now tries to modify the EMPNO id they will get an error in APEX as the URL won't have the correct checksum.

Applying SSP

To add SSP at the page level (technically called Page Access Protection at the page level) edit the page and scroll down to the Security section. Select Arguments Must Have Checksum for the Page Access Protection option.

Once that is added you can modify the page items you want SSP to be applied to. Edit a page item and scroll down to the Security section. Select an option for Session State Protection (note: click on the help link to find the differences between the various options; I usually use Checksum Required - Session Level).


To modify a page and all its page items at the same time go to Shared Components > Session State Protection > Page Item and click on a page link.


Two Layered Approach: Page vs Page Items

The easiest way to think of SSP in APEX is that it’s a two layered approach. First you must define which pages (not page items) require a checksum applied to it when passing in URL parameters. The second part is to define which page items require a checksum when set from the URL. You can’t do the later with out the former (i.e. if you just define a set of page items to have SSP it won’t work) but you can have pages with SSP without any page items with SSP.

The two layered approach is where most people get confused. If you apply SSP at the page level, shouldn’t all items be protected? At first glance the answer is “yes”. But the actual answer is no. The following example highlights why both “layers” are required.

Suppose we only apply Page Access Protection for the EMP form page (let’s say P11). If I clicked on a link to edit an employee it would add the checksum. Initially it looks as if everything is ok. Now suppose we have another page, P20, that doesn’t have Page Access Protection enabled. We could actually set P11_EMPNO from P20. The URL would look like this: http://fcapex42.clarifit.com:8894/apex/f?p=211:20:14916146169058::::P11_EMPNO:7839 Most people forget that you can set page items from any page, i.e. you’re not restricted to only setting items for the current page that you’re accessing.

You could also set any of the page items via an AJAX call (since none of them have SSP applied to them). Either way, just applying page access protection isn't enough.

When Not to Apply SSP

If you haven’t implemented SSP in your application you should really look at doing so. Before you apply it to all items it’s important to note that any items that can be set via an AJAX call can not have SSP enabled for them. The most usual case of this is cascading LOVs (select a department, then a list of employees gets refreshed with all the employees that belong to the selected department).

The reason why you can’t have SSP item items that are set via AJAX is that AJAX uses JavaScript to build the URL. Since JavaScript code is downloaded and runs on the end user’s machine it is not deemed to be secure. So if you had your checksum code in a JavaScript file a malicious user to easily reverse engineer it and apply checksums for any item they wanted to.

Conclusion

SSP is a great feature to quickly help secure your application. It’s important to remember that SSP only prevents URL tampering. Nothing more, nothing less. It’s a common mistake by developers, and managers alike, that just applying SSP means that they’ve locked down and secured an application. It’s just one of many steps to help protect your application.

11 comments:

  1. Hi Martin

    Enjoyed your article, it clearly explains the topic.

    ReplyDelete
  2. Thanks for the clear explanation on this topic.

    ReplyDelete
  3. Is there a whitepaper available that describes APEX security best practices such that if you followed it's guidance your application would pass rigorous security checkers, etc.?

    ReplyDelete
    Replies
    1. Offhand, none that I know of. You can try the APEX Collateral page: http://www.oracle.com/technetwork/developer-tools/apex/application-express/apex-collateral-1863614.html

      They're some 3rd party tools that you can look at which evaluate your application. The main ones are ApexSec by Recx and eSert by Enkitec

      Delete
  4. Hi Martin,

    How can we apply SSP to pop-up page using Javascript? Often we have pop-ups to save users going into another page like below using javascript:


    function newPopUp()
    {
    url = 'f?p=&APP_ID.:50:&APP_SESSION.::NO:RP,50:P50_USER_ID:&P21_USER_ID.';
    w = open(url,"winLov3","position=center, top=1,left=0,Scrollbars=0,resizable=0,width=605,height=500");
    if (w.opener == null)
    w.opener = self;
    w.focus();
    }


    I know there is a PL/SQL function to produce APEX URLs which can include a checksum but can the same be achieve in javascript? Cheers.

    ReplyDelete
    Replies
    1. No you can not generate a proper APEX URL with checksum just using JS. Since the JS code is downloaded to the browser the salt would be exposed to the client and therefor they could create their own (valid) checksums.

      The way to create the URLs would still to use the APEX_UTIL.PREPARE_URL function before/while the page is loading.

      You could create a dynamic action that would return a valid URL using the function above but you'd be exposing your AJAX call to the client and they could enter malicious data and getting back a valid URL thus ruining the whole point.

      Delete
    2. Thanks Martin.
      APEX_UTIL.PREPARE_URL working correctly.

      Delete
  5. Hi Martin,
    Is it possible to call SSP enabled application page URL from other application ? If yes how to handle it ?

    ReplyDelete
    Replies
    1. You can reference the page but you may have some issues passing in variables. Of course you can test this out easily, I'm just not sure how the checksum will be generated from another application.

      Delete
    2. Hi,
      How exactly checksum will generate in Apex ?

      Delete
    3. apex_util.prepare_url http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35127/apex_util.htm#CDEIBCJD

      Delete