2 Replies Latest reply: May 8, 2013 3:40 AM by VC RSS

    Security question (about processes)

    Giedrius S.
      Hello,

      Lets say I have a page with button "SAVE", which submits the page. Also I have a after submit process which runs when user presses button "SAVE". Everything works fine.

      Then I add condition to button "SAVE", so that not every user will see it. Lets say User1 sees this button and can press it and User2 does not see it so can not press it.

      Question is: Is it possible for User2 to hack page so, that he submits page as "SAVE" and process, attached to this button is executed? I think that hacker could use javascript like "apex.submit('SAVE')" or any other ways.
      If so, then I guess process, attached to button "SAVE" should also have the same condition as button? Or is it redundant?

      This question bothers me for some time so I would like to hear your opinion.

      Thank you,
      Giedrius
        • 1. Re: Security question (about processes)
          Denes Kubicek
          Your assumption is correct. Hiding a button will not make your application secure. The same condition has to be applied to the corresponding process as well.

          Denes Kubicek
          -------------------------------------------------------------------
          http://deneskubicek.blogspot.com/
          http://www.apress.com/9781430235125
          http://apex.oracle.com/pls/apex/f?p=31517:1
          http://www.amazon.de/Oracle-APEX-XE-Praxis/dp/3826655494
          -------------------------------------------------------------------
          • 2. Re: Security question (about processes)
            VC
            If there is any page/application items involved in your condition logic you should use checksum for those to avoid tampering.

            Take a look at authorizations as well - http://docs.oracle.com/cd/E37097_01/doc/doc.42/e35125/sec_authorization.htm#HTMDB25782