Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

APEX SQL Injection vulnerabilities from Acunetix scan, Guidance needed.

K4ESep 23 2016 — edited Jan 25 2017

Good afternoon,

We have had one of our APEX 5.03 installations run against an Acunetix scan.  The scan is bringing back some critical results about SQL injections but I am fairly sure they are false positives.  I believe this code as well is being wrapped behind the scenes so would be very difficult to execute or see whats going on.

The major issues seem to be in relation to the bind variables within the URL.

I am making an educated guess that the results of the scan are showing as critical due to standard ORA- oracle errors that are being returned.  For example :    Error ERR-7620 Could not determine workspace for application (1). ORA-01403: no data found when we try to execute one of the results of the scan.  This also happens if you run it against an application/workspace on oracle itself

An example of a result 1/8 is as follows:

/apex/devboj/f

or

/apex/devboj/wwv_flow.js_messages

Parameter p | p_flow_id | p_app_id

Alert group SQL injection

Severity High

Description This script is possibly vulnerable to SQL Injection attacks.  SQL injection is a vulnerability that allows an attacker to alter back-end SQL statements by manipulating the user input. An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous characters.  This is one of the most common application layer attacks currently being used on the Internet.  Despite the fact that it is relatively easy to protect against, there is a large number of web applications vulnerable.  Recommendations Your script should filter metacharacters from user input.  Check detailed information for more information about fixing this vulnerability.

Alert variants

URL encoded GET input p was set to 1#####%2527%2522

Error message found: ORA-01403:

Does anyone know any solution to stop this flagging up or a valid reason I can give to my department why they should not be looked at further.  Is there a way to change the ORA messages that occur to something more readable to stop the flag ?

Any suggestions will be greatly appreciated.

Edit: This looks to have been solved with APEX 5.1 as it shows a much nicer error message screen with a return button but would need to test against the scan.
This post has been answered by joelkallman-Oracle on Sep 24 2016
Jump to Answer
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Feb 22 2017
Added on Sep 23 2016
#apex-discussions
16 comments
4,739 views