APEX Security Checklist

Every web application is subject to tampering, Malicious users may try to

exploit weaknesses in your APEX application using a number of different
techniques like
— Page Attributes
— URL Tampering
— SQL Injection (SQLi)
— Cross Site Scripting (XSS)
In reality, the risks of SQLi & XSS in APEX is almost none.
Fortunately, below steps can be taken to prevent these types of attacks

* Enable Session State Protection

* Enable Page Access Protection for ALL pages
* Ensure that all Hidden Items are Protected
* Use bind variables in any SQL & PL/SQL to avoid SQL Injection
* Use DBMS_ASSERT to validate SQL
* Use a APEX-specific security tool to help identify SQL Injection risks
* Ensure that all APEX applications use the same authentication scheme
* Do not mix Public & Internal Users in the same application
* Ensure that your directory is set to lock accounts and require password
changes
* Consider Two Factor Authentication for more sensitive applications
* Use Secure Views, VPD or OLS to limit what data a user can see
* Use Redaction where data needs to be seen but limited
* Always use HTTPS
* Be sure to Encrypt sensitive items
* Disable Download from sensitive reports
* Start adding Authorization Schemes at the page level and work up from
there
— Securing navigational controls - tabs, lists, buttons etc.- is simply not enough,
as users can easily manipulate the URL to access any page
— Use a federated model that manages access across all applications & all
workspaces vs. stove-piping on a per-app basis

* Consider a hybrid approach (LDAP authentication, table-based

authorization) when it is not possible to easily change user-to-role mappings
in LDAP

Application Settings
— Ensure Logging is enabled
— Ensure Debugging is disabled
— Set Compatibility Mode to most recent version
— Set Build Status to Run Only
— Create an incorporate an Error Handling function

Security Settings
—set an application-level Authorization Scheme
— Configure Session Timeout and Idle Timeout
— Enable and Configure Session State Protection
— Set Allow Frames to Disabled or Same Site Only
— Disable Browser Cache
— Set Escaping Mode to Extended
— Set Re-join Sessions accordingly
— Disable Runtime API Usage
* Never disable escaping on columns
— When you do, be sure you know where the data is coming from or escape it
with APEX_ESCAPE

* Be wary of Application Items that are rendered as HTML

— Source is not escaped by default

* Restrict characters on input forms

— Understand that not all input may come from your application

* Ensure that you’re running the latest release of Oracle APEX

* Subscribe to and Apply Patches referenced in Oracle Security Alerts
* Keep an eye on industry publications for new exploits/vulnerabilities