Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Failed security audit (XSS and SQL Injection are possible).

Bill CarlisleAug 20 2010 — edited Jan 29 2011
Is there protections from Code Injection that can be put in place? They were able to inject <script> that ran a marque across the screen... and said they code grab peoples username and passwords by injecting in the same way...

From Security:
Dangerous characters which should be filtered:
• < > " ' % ; ) ( & + -
• These should be checked for and filtered out in all requests, input forms, the URI, headers, and cookies.



Does APEX have anything that can be turned on to prevent from having to check all inputs???

Also, they used FireFox "Inspector" to open a text item from max 9 characters to 50 characters so they could inject code...

Any help appreciated..
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Feb 26 2011
Added on Aug 20 2010
#apex, #apex-discussions, #security
6 comments
1,704 views