Oracle Application Express
Oracle APEX is a low-code application development platform developed by Oracle Corporation. APEX is used for developing and deploying cloud, mobile and desktop applications. It has a web-based integrated development environment that includes tools such as wizards, drag-and-drop layout builders, and property editors.
Background
APEX is a feature of the Oracle Database. It is a part of the Oracle Cloud within the Autonomous Database Cloud Services and the stand-alone APEX Application Development service.Oracle APEX has had name changes since its creation in 2000, including:
- Flows
- Oracle Platform
- Project Marvel
- HTML DB
- Application Express aka Oracle APEX
History
With version 5.2, the numbering system was changed to align with the year and quarter of the release, renaming it to 18.1. This change is consistent with Oracle's change in numbering nomenclature.
Low-code environment
Oracle APEX is a low-code development platform, a type of environment that can trace their origins to fourth-generation programming languages and rapid application development tools.APEX allows users to build web applications with a "no code" graphical user interface. However, when the requirements are more complex, APEX allows the extension of the low-code objects through a declarative framework. This framework lets the developer define custom logic, business rules, and user interfaces. The developer can do this through the inclusion of SQL, PL/SQL, HTML, JavaScript, or CSS as well as APEX plug-ins.
Security
APEX applications are subject to the same level of application security risks as other web-based applications built on more direct technologies such as PHP, ASP.NET and Java. However, since APEX 4.0, the Application Builder interface has included a utility called Advisor, which provides a basic assessment of an application’s security posture.The two main vulnerabilities that affect APEX applications are SQL injection and cross-site scripting.
SQL Injection
APEX applications inherently use PL/SQL constructs as the base server-side language and access data via PL/SQL blocks. An APEX application will use PL/SQL to implement authorization and to conditionally display web page elements. Because of this, APEX applications can suffer from an SQL injection when these PL/SQL blocks do not correctly validate and handle malicious user input.
Oracle implemented a special variable type for APEX called Substitution Variables ; however, these are insecure and can lead to SQL injections. When an injection occurs within a PL/SQL block, an attacker can inject an arbitrary number of queries or statements to execute. Escaping special characters and using bind variables can reduce, but not remove, XSS and SQL injection vulnerabilities.
Cross-Site Scripting
XSS vulnerabilities arise in APEX applications just like in other web application languages. To counteract this, Oracle provides the htf.escape_sc function to replace literal characters with HTML entity names and avoid undesired behaviors.
A developer can use authorization schemes to manage access to resources like pages and items within an APEX application. To ensure proper security, these schemes must be consistently applied across all relevant resources. An example of inconsistent access control arises when an authorization scheme is applied to a button item but not to the process linked to that button. This inconsistency could allow a user to trigger the process directly via JavaScript, bypassing the button entirely.