Editing Oracle Application Express (section)

==Security==
{{More citations needed|date=October 2024}}
APEX applications are subject to the same level of [[application security]] risks as other web-based applications built on more direct technologies such as [[PHP]], [[ASP.NET]] and [[Java (programming language)|Java]]. However, since APEX 4.0, the Application Builder interface has included a utility called Advisor, which provides a basic assessment of an application’s security posture.

The two main vulnerabilities that affect APEX applications are [[SQL injection]] and [[cross-site scripting|cross-site scripting (XSS)]].<ref>{{Cite web |title=Securing Vulnerability Exploits with Apex – Part 3 |url=https://content.dsp.co.uk/apex/securing-vulnerability-exploits-apex-part-3 |access-date=2024-10-08 |website=content.dsp.co.uk |language=en-gb}}</ref>

'''<big>SQL Injection</big>'''

APEX applications inherently use PL/SQL constructs as the base [[Client–server model|server-side]] language and access data via PL/SQL blocks.<ref>{{Cite web |last=Alpern |first=D. |last2=Agrawal |first2=S. |last3=Baer |first3=H. |last4=Castledine |first4=S. |last5=Chang |first5=T. |last6=Cheng |first6=B. |last7=Dani |first7=R. |last8=Decker |first8=R. |last9=Iyer |first9=C. |title=Overview of PL/SQL |url=https://docs.oracle.com/en/database/oracle/oracle-database/21/lnpls/overview.html#GUID-8E5695A2-F639-4480-9C61-0AE5CF0C16BC |access-date=2025-01-24 |website=Oracle Help Center |language=en-US}}</ref>  An APEX application will use PL/SQL to implement authorization and to conditionally display web page elements. Because of this, APEX applications can suffer from an SQL injection when these PL/SQL blocks do not correctly validate and handle [[Security hacker|malicious user]] input.<ref>{{Cite web |title=Using Oracle APEX |url=https://enterprisearchitecture.harvard.edu/using-oracle-apex |access-date=2025-01-24 |website=enterprisearchitecture.harvard.edu |language=en}}</ref>

Oracle implemented a special variable type for APEX called ''Substitution Variables'' (with a syntax of "&NAME."); however, these are insecure and can lead to SQL injections. When an injection occurs within a PL/SQL block, an attacker can inject an arbitrary number of queries or statements to execute.  Escaping special characters and using bind variables can reduce, but not remove, XSS and SQL injection vulnerabilities.

'''<big>Cross-Site Scripting (XSS)</big>'''

[[XSS]] vulnerabilities arise in APEX applications just like in other [[web application]] languages. To counteract this, Oracle provides the htf.escape_sc() function to replace literal characters with HTML entity names and avoid undesired behaviors.<ref>{{Cite web |title=Fusion Middleware PL/SQL Web Toolkit Reference |url=https://docs.oracle.com/cd/E28280_01/portal.1111/e12042/pshtp.htm |access-date=2024-10-08 |website=docs.oracle.com |language=en}}</ref>

A developer can use authorization schemes to manage access to resources like pages and items within an APEX application. To ensure proper security, these schemes must be consistently applied across all relevant resources. An example of inconsistent access control arises when an authorization scheme is applied to a button item but not to the process linked to that button. This inconsistency could allow a user to trigger the process directly via JavaScript, bypassing the button entirely.