KScope 2025
Philipp Hartenfeller | Kevin Thyssen
18-JUN-2025 | Grapevine, TX
Please ask questions any time
In these slides: Only APEX
Other areas:
Non-technical | Technical |
---|---|
|
|
Server | Client |
---|---|
|
|
javascript:
pseudo-protocolClient-side issues
/...?p12_id=3...&cs=1ldsBsao2j...
Checksums
Also apply for read-only items and hidden with protection enabled
$s("P13_SAL", 1234);
apex.page.submit({request: "SAVE"});
Use :P1_ITEM
in SQL sources in APEX
When you see dynamic SQL anywhere your 🧠️ should be ⚠️️
:var
(e.g. when using execute immediate
)dbms_assert
apex_exec
or dbms_sql
SQL Injections
<script>alert('XSS')</script>
in inputshtp.p
→ use apex_escape
pkgAlso possible
XSS
philipp@united-codes.com
kevin.thyssen@united-codes.com
Slides at hartenfeller.dev