Wednesday, 27 February 2013

Recx add Oracle APEX detection to Tenable Nessus

Recx have authored a selection of plugins for Tenable's automated vulnerability analysis product Nessus. These facilitate the detection of Oracle APEX instances when networks are scanned by Nessus. The plugins can locate and analyse APEX web technology stacks to assist penetration testers, ethical hackers and network auditors in the identification of vulnerable versions of Oracle APEX on corporate networks.




In total Recx submitted thirteen plugins to Tenable all of which have been approved and are now including in their update feed for the Nessus Vulnerability Scanner. This allows Nessus to detect:
  • The presence of Oracle APEX on any web servers discovered during a network audit.
  • Determine the version of Oracle APEX in use.
  • If the APEX application builder interface is available.
  • Specific publicly disclosed vulnerabilities in the APEX instance.
Several vulnerabilities in the core of APEX have been released publicly and have Common Vulnerability and Exposure (CVE) references; the Recx plugins for Nessus can identifiy if these issues affect the discovered APEX instance:
  • CVE-2008-4005 - "Unspecified vulnerability in the Oracle Application Express component in Oracle Database 11.1.0.6 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors."
  • CVE-2009-0981 - "Unspecified vulnerability in the Application Express component in Oracle Database 11.1.0.7 allows remote authenticated users to affect confidentiality, related to APEX."
  • CVE-2009-1993 - "Unspecified vulnerability in the Application Express component in Oracle Database 3.0.1 allows remote authenticated users to affect confidentiality and integrity, related to FLOWS_030000.WWV_EXECUTE_IMMEDIATE."
  • CVE-2010-0076 - "Unspecified vulnerability in the Application Express Application Builder component in Oracle Database 3.2.1.00.10 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors."
  • CVE-2010-0892 - "Unspecified vulnerability in the Application Express component in Oracle Database Server 3.2.0.00.27 allows remote attackers to affect integrity via unknown vectors."
  • CVE-2011-3525 - "Unspecified vulnerability in the Application Express component in Oracle Database Server 3.2 and 4.0 allows remote authenticated users to affect confidentiality, integrity, and availability, related to APEX developer user."
  • CVE-2012-1708 - "Unspecified vulnerability in the Application Express component in Oracle Database Server 4.0 and 4.1 allows remote attackers to affect integrity via unknown vectors."
These latter three issues were discovered and responsibly disclosed by Recx during the course of our ongoing vulnerability research into the Oracle APEX platform. These plugins are enabled by default:


Maintaining a current version of Oracle APEX is one part of the story to ensuring your environment is protected against cyber attacks. In addition to keeping the framework up-to-date, it's critical to ensure that the deployed APEX applications are secured from web-level attacks such as SQL Injection and Cross-Site Scripting. Our ApexSec product can perform automated code level inspection of your in-house APEX applications, allowing the identification of vulnerabilities and the rapid mitigation of exposures.

We thank everyone at Tenable for accepting and integrating our plugins into their world leading product. We hope this helps our customers and the wider community maintain a secure operating environment in which to host their APEX applications.

Tuesday, 26 February 2013

Hands-on Oracle APEX Security

We have noticed that even developers with the best of intentions can still end up with vulnerable APEX applications. That's why we're in the final stages of publishing a book that is going to cover the various classes of security risk we have experienced when securing high security APEX installations over the years.

All the examples are taken from real-world APEX applications, just sanitised and distilled to demonstrate particular areas of vulnerability. The book gives examples of vulnerable code and shows the correct way to fix your applications. We've submitted the technical content to the publishers and the edit is underway.

The structure so far breaks down into the four main areas of risk:
  • Access Control - applying authentication and authorisation schemes, common pitfalls.
  • Cross-Site Scripting - attacks and defences, encoding functions.
  • SQL Injection - query syntax modification, impact of attacks, subtle differences between vulnerable and non-vulnerable PL/SQL code.
  • Item Protection - classification of items and the protection each type required.
Learning through example is a great way to experiment with APEX security and equips developers with some of the tools and techniques used by attackers. By showing step-by-step how data can be accessed with SQL Injection or how users can be attacked with Cross-Site Scripting, developers will be made aware of attack techniques and understand how the defensive mechanisms of APEX can be used to protect their applications.

Most existing texts on APEX security are consigned to just a chapter within existing programming books or simplified to such an extent as to give a false sense of security. This book gets into the mindset of hackers and deep into the APEX framework to tackle the difficult world of security head-on.

We're proud to be working on this eBook with Wiley who publish the wonderful Web Application Hacker's Handbook, a must read for any web technology developer.

We're hoping to announce the release of our Hands-on Oracle APEX Security eBook in the coming months; watch this space!