Tampering SPP protected fields would be possible if someone could correctly calculate a new checksum?
We create an Oracle Apex application for one of our customers.
ApEx 4.2.0.00.27, 11 2 GR database
(Hidden) elements are protected by the option of protection of the State of Session "required Checksum - level of the Session. This prevents tampering with the values that it self.
Security officers fear, however, that it might be possible to change the value of the element and recompute a checksum to match this value. And if the value of the element is the key to another line, this could mean to modify the data of another user.
In a response on the mechanism of control in tabular form () the steps are described as follows:
- checksum (I) on the rank is calculated when rendering
- (II) checksum is calculated to verify the changes
- checksum (III) on the master data is calculated and compared to the checksum (I) ensure that the data has not been modified in the database.
If I apply this to the SSP-checksum I see the following steps:
- (I) checksum is calculated on the value of the element when rendering
- page is sent
- checksum (II) the data in the database is calculated and compared to the checksum (I) ensure that the value of the element has not been tampered with.
Now the scenario of security officers:
- someone finds a way to calculate the correct checksum for value a/all
- (I) checksum is calculated on the value of the element when rendering
- It replaces the value of the element "table_id" (1000) by another valid value "table_id" (900) and replaces the original checksum (I) with a correct checksum (II) to the new value.
- page is sent
- (III) checksum is calculated for the new "table_id" (900), this corresponds to the 'false' (II) checksum and the 900 line data are changed
If (and I think it is highly unlikely) someone would be able to calculate correct checksums, this scenario works? Or don't miss us something in our way of thinking?
Hi user600985,
If an attacker has a way to calculate correct checksums, this scenario could work. That being said, I think it's very theoretical. Checksum protection is a fundamental security and used concept in all sorts of web frameworks, not only the APEX. I am convinced that our implementation is at least as good as the others.
However, security can (and very often) be applied to all layers, not only the front-end server. For example, a layer below the URL / checksum point protection are the form and the process in the form of the APEX. You can add DURATION where clauses that APEX adds automatically when it retrieves rows or perform the insert/update / delete. They can be used to ensure that DML applies only to records that the user is allowed to see and edit. More below, you have access to (also known under the name of MEV) fine-grained, making something similar directly in the database. This is a characteristic of the company, but you can also emulate it on a level with views and triggers if you're on the standard edition. The last layer is a sound relational data model where the correct data types and constraints keep the integrity of the data. Depending on the complexity of an application, it is sometimes a good idea to add a layer of logic view/trigger on physical model, where the additional security checks are implemented.
Kind regards
Christian
Tags: Database
Similar Questions
-
I get the following errors when I am trying to download a test version of Dw;
ERROR: DW071:
ERROR: DW003: third payload Installer vcredist_x64.exe failed with exit code:-2147024546
ERROR: Cannot install the Microsoft Visual C++ 2012 Redistributable Package (x 64).
Chat is closed. I would be grateful if someone in the community could help me.
Take a look at this answer Re: third payload Installer vcredist_x64.exe failed with exit code: 2147942750
-
Help with the protected fields
Hi all
I have a form that has several fields. Of those, some are protected fields that are intended only for the administrator, rest are intended for users in general. General users should submit the form by filling out only the fields that are intended for them. After submitting the form, when the administrator opens the form, he should be able to enter data in the protected fields and save. How this can be achieved at best, so that only the administrator can bypass the protected fields.
Thank you.
Sidonie.
Hi Francine,.
Here's a sample: https://acrobat.com/#d=1sM9qMpJpgo2Miox * YaQNg
In this I have set up four fields that are locked initially. There is a button which, when clicked will ask the user a password.
Now while the password is "124", the form uses a hash function to convert a hex code. I can't remember where I got the function, but it was one of the Adobe blogs. It would be unsafe to store the password "1234" in the form, then the hash code is stored instead: "03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4." The entered password is converted to a hex code and then compared to this.
Once the fields are unlocked, the background is highlighted. Protect the fields the administrator again click on button and input an incorrect password.
Now in your form, you can take parts of this solution - for example have a textfield for password instead of a button; have a blocking script in the exit of the textfields event, etc.
Hope that helps, sorry for the delay to return to you,
Niall
-
I bought Lenovo G550, 6 months before and now I got problems with my PC and have problem with the Windows product key due to scratch on it, so please tell me how it would be possible to get this product key.
Behind my laptop, here is a sticker mentionedProof of licenseCertificate of authenticityMicrosoftMicrosoft Corporation @2005X 15-53803and on the bar code is mentioned after the number.00.94 - 893-397-158Product key. M... 62-8GX88-69-... - f7bHello BHASKARPIYA,
Product Key Finder programs, if someone advises to use, is found only on your operating system preinstalled a Levono multiple factory facilities and will be of no use in these circumstances.
You will need to contact Lenovo and request their assistance.
Or a way around this is to buy a Lenovo recovery DVD to reinstall the operating system or use the built-in recovery Partition containing an image of your OS and reinstall Windows like that.
No method requires a product key to be entered by you.
-
I already have 5 Lightroom and installed on my PC. Yesterday, I bought a Macbook Pro and I would like to install my Lightroom 5 in my new Macbook Pro. Is it possible to install on two different computers? If Yes, how is it possible to install via the Internet, like my Macbook Pro doesn't have CD Driver. Thank you very much for your support. Hope.
Hello
You can install and activate the perpetual software (purchased) two computers, as long as you don't use it on one at a time.
To load the software on another computer, download and install it as you did on the first computer. Then enter your serial number to activate it.
Please find the link below to download:-Download Photoshop Lightroom
-
I have created a form to fill out that is a contract, but I need a way for the person who is to fill the form to insert their logo. Is it possible for someone to insert a logo when you fill out the form to fill out? I'm looking for all the options under the button 'add a text field.
It is not possible within a text field, either. If they have Acrobat, they can use the built-in under Tools - editing content Add Image tool.
If they drive XI or higher, they can use a button form field you will need to set up for them, but the image must be in PDF format.
-
If I buy one Prime Minister prepaid by annual pro adobe application, after the after the end of the subscription of one year it would be possible to use the program without updating or should I pay each year?
You will not be able to use the program after the end f the subscription, unless you continue to subscribe. The only way to use Premiere Pro without subscription is to buy the CS6 version. Remember that projects CC is not properly open to the CS6.
-
I have been scammed by Mindbrix last week, and this community let me know... Thank you! Is it possible that they could have installed some sort of malicious software on my Macbook Pro X or am I protected? My computer works normally at this stage.
Is it possible that they could have installed some sort of malicious software on my Macbook Pro X or am I protected?
If you don't give them access to your computer or download something on their request, you should be fine. If you allow them access or downloaded something, you must erase and reformat your hard drive, then restore your computer from a backup taken before when you allowed them access. Change your passwords and other critical information also. Not sure what software have been installed. If necessary, contact your bank to make opposition and cancel your credit card.
-
I wonder if: when I go Incognito, is it possible that someone can keep track of Web sites and pages that I enter?
Hi master,
The answer to your question is Yes and no.None: No one can keep track of your history on the side of your computer.
Yes: Your ISP (Internet Service Provider) can keep track of your history.Anyway that you do not have to worry about anyone using your computer accessing these data.
Here's the article for help in case you want to more information: https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history
I hope this helps, have a nice day.
-
Is it possible to plug a USB to my new iPad Pro, to transfer PDF files and some Jpeg files from the USB key with an adapter of lightning? If there is NO adapter, how can I get these files on the USB key and my iPad pro? I need these PDF files transferred my I touch pro. Any suggestions? Please
Thank you
Mike Tingey
The iPad does not support USB keys. There are some wireless flash drives that can be used, but not the classical records. I suggest you transfer files to a computer and their synchronization then back to the iPad via iTunes.
-
My child has its own Apple ID, throughout I would buy apps for her and she would transfer to his iPad. But since a new update she has no access to its power supplies that are on my shopping list. She is using "Video star" app?
Hi Breda49
iTunes purchases (free downloads are taken for granted) are permanently linked to the Apple that was used to buy ID.
To work around this problem, you can set up sharing of family and your child. This will allow you to share all your purchases.
-
I wish that the tabs colorful. is it possible with Firefox? And or each new topic have a different color tab.
The ColorfulTabs extension can be useful for you.
-
So I changed my password, took a NAP, and when I woke up, I couldn't remember the password. So now, my phone says "disabled: connect to iTunes '. Is it possible that someone from Apple can activate my phone (preferably without restoring to the factory)?
Once disabled, it cannot be re-enabled in the restaurant if you plant.
An Apple Store can do for you. but you can also just connect to a computer running iTunes and do it yourself.
No matter how you do it, it will be restored.
-
I have a project in iMovie HD6 and want export to Final Cut Pro. I see that it is not possible from the previous questions, but is it possible that I could maybe create a dvd of the iMovie project and then who import in Final Cut? I just want to make a new trailer for the project.
What you suggest is possible but it takes software and third-party quality loss.
Instead, export a QuickTIme movie. If you have a choice of codecs, choose Apple Intermediate Codec. You can save it where you want it-maybe in the movies.
Then import the movie into FCP as a clip.
Good luck.
Russ
-
Can I upgrade from 4550 dimension bios and how
I want to update my bios dimension 4550 to enable me use a bigger HD if it's possible can someone teach me how to go to that topic. The current version of bios is A01Go here:
There are three choices; the first requires a bootable floppy, the third will create a set of boot floppies, and the second is a "floppy" setup that flashes the BIOS from Windows.
Be forewarned: if it screws up during the update because of a loss of power or fault, you basically turn your PC into a paperweight. Flash BIOS that went wrong is sometimes very difficult to recover from and sometimes impossible.
SC Tom
Maybe you are looking for
-
No sound on Equium - driver corrupted or missing (Code 39)
Hello My name is Fanta.I recently wanted to play music on my computer using windows media player, but no sound from the speakers of the laptop, I checked the Device Manager and there is a sign less next to the audio, video recorders and game when I s
-
microSD, microSDHC, adapters in the Lynx (K3011)
Anyone know for sure if this tablets works with the 3 typse os microSD cards on the market today?
-
The W700 has a switchable graphics card?
The GPU dedicated to the Integrated GPU? I have received conflicting information on this subject? I was told of any system is also switchable discrete graphics.
-
Hi, I just had to use the system restore on my Win Vista (32-bit), looks like some games that I uninstalled appear as installed, when I try to uninstall it, I get a message saying that there are missing files. More my computer is slow, and I lost a f
-
I started to reformat windows different... From XP/Vista / Windows 7, etc... I did too a clean re-install... [To make my own PC] Now my Question is? What is the best thing to do, to make Windows free & Clean... There are so many software malicious ad