mation flow between the database and the client could
get temporary access to the
data as it passes through. The easiest place to get access to the data, though, is at the
database.
One of the challenges with databases is that if an attacker can either pass requests
through to them or can get access
to the database server itself, the data could be com‐
promised. Even if the data were encrypted in transmission or encrypted on disk, the
data could be stolen. If an attacker can access credentials that the application server
needs to access the data, the attacker could similarly access
data in the database by
querying it. Once a user has been authenticated to the database server, it’s irrelevant
that the data is encrypted anywhere because it has to be decrypted by the database
server in order to be presented to the requestor.
Because of the possible sensitivity of the information in the
database and the potential
for it to be compromised, this server is probably high on the list of key systems, if not
at the very top. Because of that, other mechanisms may be
in place to better protect
this system. Any of the elements within the architecture can expose the data that’s
stored on this system, so ideally mechanisms are in place on all of them to ensure that
the data is not compromised. The data stored here is a common target of the different
web-based attacks, but it is not the only target.
Web-Based Attacks
Because so many websites today have programmatic elements
and the service is often
exposed to the open internet, they become nice targets for attackers. Of course,
attacks don’t have to come in the shape of sending malicious data into the application,
though those are common. There are other ways of getting what the attacker is look‐
ing for. Keep in mind that the motivation is not always the same. Not every attacker is
looking to get complete access to the database. They may not
be looking to get a shell
on the target system. Instead, there may be other motivations for what they are doing.
As the canvas for developing web applications expands with more frameworks, more
languages and more helper protocols and technologies, the threat increases.
One of the most impactful breaches to date—the Equifax data
breach—was caused as a result of a framework
used to develop the
website. A vulnerability in that framework, left unpatched long
after the issue had been fixed and announced,
allowed the attackers
in where they were able to make off with the records of about 148
million people.
Often, attacks are a result of some sort of injection attack: the attacker sends mali‐
cious input to the application, which treats it as though it were legitimate. This is a
result of a problem with data validation; the input wasn’t
checked before it was acted
