Skip to Main Content
Feature Request FR-4422
Product Area Application Builder
Status CLOSED

1 Voters

Add checksum to buttons to prevent spoofing of :REQUEST value

zafar_farhan Public · Apr 24 2025

Idea Summary
The current server side conditions of “when button pressed” or “REQUEST =” do not validate that the button was rendered by the apex framework.  This can be easily be spoofed by amending the submit value in the rendered page source or by adding a button with a known name to escalate privileges on a page.

when the amended/ added button is then subsequently clicked it will submit the page with a REQUEST value that was not rendered by the framework and trigger any page processing that is set with a condition of that button being pressed or REQUEST value being set.

Use Case
Manually amend a button's submit value to another button name or add a button with a submit value of a known button that the use is not allowed to see.

Click the button and any processing / region conditions that are based on a REQUEST or button value related to this amended button will be triggered providing unauthorised access to database processing logic or page regions and data.

Preferred Solution (Optional)
Can a checksum be created by the framework for each button that is rendered, including any created for toolbars.  This checksum should then be validated on button click to verify that the button was rendered by the framework and not amended or added by a malicious user.

This validation would then protect the “when button pressed” and “REQUEST=” server side clauses.  This would also allow client side hide/show of buttons to work as the button will have been rendered by the framework on page load before hiding.

This should also be backwards compatible for legacy apps as the validation would take place by the framework on page submit and show a page error if the checksum is no longer valid.

Open to other suggestions on this as the request/button value is used frequently for button processing logic and is open to abuse.   On very complex pages where a button can be used for multiple regions the logic for working out if a button is to be displayed can be fairly complex and having to add that to each process / region that relies on REQUEST or button pressed can become unmanageable

We reviewed this idea carefully and came to the conclusion that it does not constitute an appropriate APEX feature request.

Comments

Comments

  • carsten.czarski APEX Team OP 2 weeks ago

    The server-side should never implement authorization logic or checks based on the REQUEST value. Checksum or no checksum: the server must not trust any value from the browser. If the browser sends an APPLY_CHANGES request, all server-side processing must check whether this request is legitimate, this typically is done by checking :APP_USER (which the browser cannot manipulate).

    BTW: When a page is submitted, it's not only about REQUEST values: Every value received from the browser must not be trusted - and every server-side operation must apply it's own checks. It's the same thing as not relying on the browser sending only valid values for a select list. The browser can submit any value, and the server must apply means to ensure correct values - that is typically done using validations and/or referential integrity on the tables. 

    The REQUEST value is an information which button the end user clicked. The server-side logic must ensure to verify that this click was legitimate.