Hi,
My company performed a Web Vulnerability scan on an APEX application I developed and Apex performed remarkably well in most areas except one.
When the scan software injects alpha characters into the hidden variables p_flow_id (APP_ID) and p_instance (SESSION) the scan produces different database errors.
An ORA-6502 (VALUE_ERROR) when p_instance is manipulated and an ORA-1403 with p_flow_id.
An example line of code (see the injection in bold):
p_request=PLUGIN%3D741A0BEC1136E9602B19BF94F2B1F97E5EA245818B426578A788DDC5AF632AF9&p_flow_id=100 &p_flow_step_id=2&p_instance=10190743434101%27%3B&p_debug=&x01=GET&x02=20160626000000&x03=20160807000000
The security team views this as possible successful SQL Injection. They are willing to accept that APEX is actually stopping the injection but they would prefer that the Oracle Error Codes and messages be replaced with some generic failure message before giving final approval.
The major problem of course is that p_flow_id and p_instance are declared as NUMBER in the flows packages and I cannot figure out how to test them and where.
I started looking at a sentry function but basic testing shows that the failure happens before the sentry function is even invoked.
This all works fine from the browser because APEX will redirect to the logon page if the URL is tampered with.
I'm using Apex 5.0.3, Apache 2.4, Glassfish4, SSL, Oracle 11g on windows.
Argee