Protecting your application against URL tampering(Altering URLs to manipulate data) is vital when building applications. In APEX, Session State Protection (SSP) can be configured at multiple levels, including Application, Page, Page Item, and Application Item.
SSP Application: When you create an application, it’s by default created with SSP enabled.
SSP Page: It defaults to “Arguments Must Have a Checksum,” which means that the URL includes a checksum to prevent URL tampering and ensure data integrity.
SSP Application Item: Restricted – Cannot be set from the browser.
SSP Page Item: By default, there is no SSP enabled at the item level.
We can validate this by creating an application, with one page, one page item and an application item.
Then check the SSP by : go to shared components -> session state protection
Since the SSP level for the page item is set to “Unrestricted” by default, it creates a potential vulnerability that can be exploited for URL tampering.
Points to consider:
- The items within a page are protected by the page-level SSP. However, if, for some reason, the page SSP gets disabled, all items are also left unprotected.
- If one disables the SSP on the application level, it will disable all protection at all levels.
If I want to check the SSP via SQL instead of APEX.
select * from apex_application_pages where page_access_protection ='Unrestricted';
select * from apex_application_page_items where item_protection_level ='Unrestricted';
Setting SSP on the items is usually a good practice, but sometimes you need to leave the items unrestricted due to different requirements.
Over & Out
dbdev01555 
Leave a comment