How to Prevent Cross Site Request Forgery in Oracle APEX

2
votes

I'm using Oracle APEX version 4.2.2.00.11 on an Oracle 11gR2 DB.

Basically a security assessment was made against an application which came back as having Cross Site Request Forgery as being flagged and via an external html file, where changes were able to be made to a page with a report.

To be more specific, the external html file contained content similar to the following:

<html>
<body>
<form action="http://example.org" method="POST">
<input type="hidden" name="p&#95;t01" value="I like chocolate" />
<input type="hidden" name="p&#95;t02" value="Apples" />
<input type="submit" value="Submit this" />
</form>
</body>
</html>

Assume the example.org URL is an Oracle APEX url, when the user presses the "Submit this" button, the following two values: "I like chocolate" and "Apples" are added to the report on page 300 of the Oracle APEX app.

It is this that I need to prevent from happening.

Based on this, does Oracle APEX have any facility/security setting to prevent this from happening as I have been told that a one-time token ("nonce") associated with the session, in each application request is required?

1
oracle11gxssoracle-apex
Could you give any specifics on your case?Typo
@Typo Please see updated info above.tonyf

1 Answers

0
votes

Look into Session State Protection.

You should be able to find a few blog articles on how to set this up, like this one.

https://oraclemasterminds.blogspot.co.uk/2015/01/session-state-protection-in-apex.html

Generally speaking, in order to prevent a cross site forgery request, a token/nonce/checksum would be included by your application in the form you are posting - an outside attacker, could not know the value of this token.