Difference between revisions of "PL/SQL Security Cheat Sheet"

Revision as of 13:03, 27 April 2017

PL/SQL is a powerful procedural language built on top of Oracle SQL syntax. Extensive library of business-related and data-processing functions it incorporates makes it an attractive environment for building business-critical applications operating fully within the Oracle database. Introduction of PL/SQL Web Toolkit enabled Oracle developers to generate HTML straight from the PL/SQL code and build web applications fully residing from within the Oracle database.

Just as any other web stack, PL/SQL web applications require careful input validation and other standard safeguards to prevent exploitable OWASP Top 10 vulnerabilities. Oracle htp (hypertext procedures) and htf (hypertext functions) packages contain the primary functions for generating output in PL/SQL web applications as well as output escaping functions. See Oracle: The htp and htf Packages

Escaping output data to prevent Cross-Site Scripting

Applications running on newer Oracle versions where APEX packages are available should use apex_escape for contextual escaping of output data in a manner similar to ESAPI validators. See Oracle: apex_escape

APEX_ESCAPE.HTML
APEX_ESCAPE.HTML_ATTRIBUTE
APEX_ESCAPE.HTML_TRUNC
APEX_ESCAPE.HTML_WHITELIST
APEX_ESCAPE.JS_LITERAL
APEX_ESCAPE.LDAP_DN
APEX_ESCAPE.LDAP_SEARCH_FILTER
APEX_ESCAPE.NOOP

Applications should use htp.prints to output text blocks rather than htp.print as the former escapes potentially dangerous characters (<>"'). Note that the htp.prints cannot be used as a simple drop-in replacement for htp.print because it will also escape legitimate HTML but by htp usage model raw HTML shouldn't be generally entered in strings but rather generated with appropriate HTML functions (e.g. htp.header(1, 'Hello'); will output <H1>Hello</H1>).

Sample usage in typical PL/SQL code:

   htp.header(1, 'Details for user ' || apex_escape.html(username)); -- outputs <H1>...</H1>
   htp.print('Username: '); -- just a string literal, no need to escape
   htp.italic(apex_escape.html(username), 'class=' || apex_escape.html_attribute(userclass) );
   htp.para();
   htp.prints(address); -- escapes dangerous chars in address string
   htp.script ('var username="' || apex_escape.js_literal(username) || '";');

On older Oracle platforms htf.escape_sc for output in HTML context can be used and the utl_url.escape function is available to escape URL characters (&"<>%). URL escaping functionality is also provided by legacy htf.escape_url function. These functions are generally less robust than their apex_escape equivalents and not context-aware.

Authors

Pawel Krawczyk

Other Cheatsheets

V - T - E Cheat Sheets
Developer / Builder	3rd Party Javascript Management Access Control AJAX Security Cheat Sheet Authentication (ES) Bean Validation Cheat Sheet Choosing and Using Security Questions Clickjacking Defense Credential Stuffing Prevention Cheat Sheet Cross-Site Request Forgery (CSRF) Prevention Cryptographic Storage C-Based Toolchain Hardening CSS Security Deserialization DOM based XSS Prevention Forgot Password HTML5 Security HTTP Strict Transport Security Injection Prevention Cheat Sheet Injection Prevention Cheat Sheet in Java JSON Web Token (JWT) Cheat Sheet for Java Input Validation Insecure Direct Object Reference Prevention JAAS Key Management LDAP Injection Prevention Logging Mass Assignment Cheat Sheet .NET Security OS Command Injection Defense Cheat Sheet OWASP Top Ten Password Storage Pinning Query Parameterization REST Security Ruby on Rails Session Management SAML Security SQL Injection Prevention Transaction Authorization Transport Layer Protection TLS Cipher String Configuration Unvalidated Redirects and Forwards User Privacy Protection Web Service Security XSS (Cross Site Scripting) Prevention XML External Entity (XXE) Prevention Cheat Sheet
Assessment / Breaker	Attack Surface Analysis REST Assessment Web Application Security Testing XML Security Cheat Sheet XSS Filter Evasion
Mobile	Android Testing IOS Developer Mobile Jailbreaking
OpSec / Defender	Virtual Patching Vulnerability Disclosure
Draft and Beta	Application Security Architecture Business Logic Security Content Security Policy Denial of Service Cheat Sheet Grails Secure Code Review IOS Application Security Testing PHP Security Regular Expression Security Cheatsheet Secure Coding Secure SDLC Threat Modeling
All Pages In This Category

@@ Line 3: / Line 3: @@
 Just as any other web stack, PL/SQL web applications require careful input validation and other standard safeguards to prevent exploitable [[OWASP Top 10]] vulnerabilities.  Oracle <code>htp</code> (hypertext procedures) and <code>htf</code> (hypertext functions) packages contain the primary functions for generating output in PL/SQL web applications as well as output escaping functions. See [https://docs.oracle.com/cd/B14099_19/web.1012/b15896/pshtp.htm Oracle: The htp and htf Packages]
-==Escaping==
+==Escaping output data to prevent Cross-Site Scripting==
 Applications running on newer Oracle versions where APEX packages are available should use <code>apex_escape</code> for contextual escaping of output data in a manner similar to [[ESAPI]] validators. See [https://docs.oracle.com/database/121/AEAPI/apex_escape.htm Oracle: apex_escape]

Difference between revisions of "PL/SQL Security Cheat Sheet"

Revision as of 13:03, 27 April 2017

Escaping output data to prevent Cross-Site Scripting

Authors

Other Cheatsheets

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools