Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
84 views3 pages

XSS Protection - Item Protection

Cross-site scripting (XSS) is a vulnerability that allows attackers to compromise user interactions with a vulnerable web application by sending malicious scripts. These scripts can steal session data and credentials when activated by a user's browser. To prevent XSS in Oracle Application Express, sensitive data should be encrypted in the session state, restricted characters entered on page items to limit injection attacks, and the "Escape special characters" attribute set to "On" for form items.

Uploaded by

MOHAMMAD ASHRAF
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
84 views3 pages

XSS Protection - Item Protection

Cross-site scripting (XSS) is a vulnerability that allows attackers to compromise user interactions with a vulnerable web application by sending malicious scripts. These scripts can steal session data and credentials when activated by a user's browser. To prevent XSS in Oracle Application Express, sensitive data should be encrypted in the session state, restricted characters entered on page items to limit injection attacks, and the "Escape special characters" attribute set to "On" for form items.

Uploaded by

MOHAMMAD ASHRAF
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

What Is Cross Site-scripting Security Breach?

Cross site-scripting (also referred to as XSS) is a web security vulnerability that allows
an attacker to compromise the interactions that users have with a vulnerable application. In a
XSS attack, a web application is sent a script that activates when it is read by a user's browser.
Once activated, these scripts can steal data, even session credentials, and return the information
to the attacker.

If malicious code were introduced into an Oracle Application Express application, it


could be rendered into HTML regions and other places within the application during normal
page rendering. To prevent the introduction of malicious code into session state, the
Application Express engine escapes characters in certain cases.

Prevention

Store value encrypted in session state :

If the contents of an item contain sensitive data, then you should encrypt the value
when it is stored in the Application Express session state management tables. Otherwise,
anyone with rights to read the Application Express meta data tables could potentially write a
query to extract this sensitive data.
Restricting Characters Entered on an Page Item :
Limit cross site-scripting (XSS) and other injection attacks by restricting the characters users
can save in session state. To accomplish this, edit the page item and configure
the Security, Restricted Characters attribute. Restricted Characters can be saved in session
state. Available options include:

• All Characters Allowed


No restriction applies.
• Whitelist for a-Z, 0-9 and space
Only allow characters a-z, A-Z, 0-9, and space.
• Blacklist HTML command characters (<>").
Do not allow reserved HTML characters
• Blacklist &<>"/;,*|=% and --:
Do not allow &, <, >, ", /, ;, ",", *, |, =, % and "--" (PL/SQL comment).
• Blacklist &<>"/;,*|=% or -- and new line
Do not allow &, <, >, ", /, ;, ",", *, |, =, %, "--", and new line characters

If you select a restriction, Oracle Application Express displays an error message if a user tries
to save data which does not conform to the selected character restriction.
Protecting Form Items :
To prevent Cross-Site Scripting (XSS) attacks, always set Escape special characters
attribute to On.
If you need to render HTML tags stored in the page item or in the entries of a list of
values, you can set this flag to Off. In such cases, you should take additional precautions to
ensure any user input to such fields are properly escaped when entered and before saving.

You might also like