Tuesday, 23 February 2010

APEX - Identify Report Columns Vulnerable to XSS

The following query is a very simple way of identifying all report columns within your APEX application that may be exposed by Cross Site Scripting (XSS).

XSS allows an attacker to inject web script (JavaScript) into an application and when this is rendered in the report, the script is interpreted rather than rendered as text.

To safe guard against this attack, APEX provides a "Display as Text (escape special characters)" report column attribute that can be applied to classic and Interactive Reports. This causes the script text to be displayed as text rather than interpreted by the browser. If you have any markup (HTML) within your query that the report is based on, this markup will also be displayed as text and not interpreted. I personally think this is a good by product as you should not really be coding look and feel into your raw SQL.

Anyway I digress. Here is the query that will identify all vulnerable report columns within your APEX application:

SELECT application_id,
FROM apex_application_page_rpt_cols
WHERE display_as NOT IN
('Display as Text (escape special characters, does not save state)',
'Text Field')
AND workspace != 'INTERNAL'
AND application_id = :APP_ID
ORDER BY 1, 2, 3;



Enzo said...

This is a good topic and one that probably needs a bit more attention, however shouldn't the focus be more on preventing the XSS injection rather than preventing your application from displaying/executing the XSS script?

That aside thanks for the query!

Duncan Mein said...


I disagree with your notion that "preventing the XSS injection" should be the focus as you enter somewhat into a minefield of validations to remove "bad scripting".

This would normally mean validating ALL users input on the client via some scipting and server side via SQL / PL/SQL possibly.

The danger is that client side validation can be bypassed with some know how so you are then putting all your faith on your server side validation. This would normally mean removing opening tags, the word script etc. Under no circumstances is this logic valid as there may be valid business data that includes these values.

Adopting the approach of accept anything and protect the output is the only way to maintain the EXACT data entered by the user and not open your app to XSS.

Just my 2 cents


Enzo said...

Touche, you make a very good point!

My focus has always been on data and ensuring it is clean, a number of generic functions e.g. like "strip scripts" using regex enable this which can either be used in computations, validations, or in triggers.

In regards to "all your faith on server side validation", don't you mean the "all your faith in the developer". I think if you go as far as looking to secure your reports you should possibly think about ways to secure your data as well. Since most systems these days share data.

Anyway thanks for the response it was really insightful.