🔐 Locking Down Public Pages - Stop URL Tampering with a Custom Checksum Using DBMS_CRYPTO in Oracle APEX

🚩Introduction 

  • In many Oracle APEX applications, public pages are accessed using links generated outside of APEX, such as from emails, external systems, or third-party portals. These URLs often carry parameters like an ID or reference number to show specific data.

  • Normally, APEX protects these URLs using a built-in checksum. But when the URL is generated outside of APEX, then the APEX rejects the request as a checksum mismatch. To solve this, we can build our own custom checksum logic using the DBMS_CRYPTO package, so the link stays secure even when it's created from outside the application.

📑 Why This Approach Is Needed

In Oracle APEX applications, public pages are open to anyone with the link, which means the URL parameters can be easily changed by a user. If there is no validation, someone could simply edit the ID in the URL and view data that doesn't belong to them.

Building a custom checksum becomes important when:

  • The URL is generated outside of APEX, so the default session checksum cannot be used
  • Sensitive data is shown on a public page without requiring login

  • Parameters in the URL need to be protected from manual tampering

  • A secret key based validation is needed to confirm the link is genuine

  • Applications need a way to reject the page request if the values don't match

This approach helps to keep public pages secure and prevents unauthorized access through URL tampering, and gives the developers full control over how the link is validated in Oracle APEX.

👉 Use Case: Preventing URL Tampering on Public Pages Using DBMS_CRYPTO

In Oracle APEX, public pages often receive parameters through links generated by external systems, such as emails or third-party applications. Since these links are created outside of APEX, the standard checksum protection cannot be applied, leaving the URL open to tampering.

In this blog, we will see how to generate a custom checksum using the DBMS_CRYPTO package by combining all the input values with a secret key, and then validate this checksum on the public page in Oracle APEX. If the checksum doesn't match, the page can throw an Invalid Access message, keeping the page secure without depending on the default APEX checksum.

Step 1: 

In the App Builder, create a new page and set the page template as Standard, to which we be redirecting via external link.. 

Step 2: 

Navigate to the Security section and select the Authentication type as Page is Public (since this is going to be public page) and set the Page Access Protection to Unrestricted.

Step 3: 

Create a page item of type Hidden and name the page item as USER_ID, which is going to hold the value passing through the URL (We are going to pass the user id in the url) .

Step 4: 

Create another page item of type Hidden and name the page item as SIGNATURE, which is going to hold the value passing through the URL (We are going to pass the Signature - hashed value in the url) .

Step 4: 

Create required Database objects like Function GET_SIGNATURE_F which is used to get the user inputs and return the hash value using the DBMS_CRYPTO package. Create one procedure SEND_PAGE_LINK_PROC which is used to generate the page link along with the user inputs and the hash value and sends this url via Email.
--- Function to Generate the Hash Value using DBMS_CRYPTO Package -----

CREATE OR REPLACE FUNCTION
GET_SIGNATURE_F(v_param VARCHAR2) RETURN VARCHAR2 IS v_secret_key VARCHAR2(100) := '#PUBL1C$P@GE!'; -- you can replace any value BEGIN RETURN lower(rawtohex(dbms_crypto.hash( utl_i18n.string_to_raw(v_param || ':' || v_secret_key, 'AL32UTF8'), dbms_crypto.hash_sh256 ) ) ); END;
--- Procedure to Generate the Page Link and sent via the Email -----

CREATE OR REPLACE PROCEDURE
SEND_PAGE_LINK_PROC ( v_emp_id NUMBER ) IS v_url VARCHAR2(4000); BEGIN ---Replace the APP ID,PAGE ID and Page items in the below link v_url := 'https://oracleapex.com/ords/f?p=43271:26:0::NO::P26_USER_ID,P26_SIGNATURE:' || v_emp_id || ',' || GET_SIGNATURE_F(v_emp_id); --to generate the Hash Value APEX_MAIL.SEND( p_to => 'xyz@gmail.com', p_from => 'abc@gmail.com', -- Replace with your Email ID's p_subj => 'Page Access Link', p_body_html => '<a href="' || v_url || '">Click here to open the page</a>' ); APEX_MAIL.PUSH_QUEUE; END SEND_PAGE_LINK_PROC;

Step 5: 

Now in the Public Page, create one page process in the Pre-rendering and copy paste the below to compare the hash value and to restrict the user access.
--- To Validate the Hash Value ----

IF
:P26_SIGNATURE != GET_SIGNATURE(:P26_USER_ID) THEN raise_application_error(-20001, 'Invalid Access'); END IF;

Step 6: 

Now open the URL or copy and paste the URL obtained via external source like Email, you can see the page is rendered. You can notice that user id 4451 and signature value is passed in the url.

Step 7: 

Now Change the User ID to any other value like 4452 and enter to reload the page. It generates the hash value by passing the new input (4452) and compares that with the passed hash value. Now the mismatch occurs in the hash value and it throws the error. You can use this logic to detect the URL Tampering in the public page without the pre-defined checksum and based on your requirement, you can perform any action like redirecting to any other page and showing Access Denied alert etc.



🔥 Conclusion

Thus, in Oracle APEX, generating a custom checksum using DBMS_CRYPTO with a secret key allows public pages to stay secure even when the URL is created outside the application. This prevents users from tampering with URL parameters, blocks unauthorized access with an Invalid Access message, and gives developers a reliable way to protect public pages while keeping the implementation simple. 


Comments

Popular posts from this blog

🔍 Extending Smart Search Filter for Multiple Regions

💡 Designing Dynamic QuickPicks in Oracle APEX

📌Track Active Tab switch in Region Display Selector without any plugins