The database is the heart of any website or application and hacking into it can cause serious losses. First, let us discuss the possible database specific attacks and then talk about various means to protect our infrastructure from them.
We all know that database are a structured collection of data in a digital form. The structure consists of schema, definition, tables that store the data in an organized form, views that are virtual tables, stored queries to improve performance etc. The database engine is responsible for accepting SQL query requests, executing them and providing data back to the querying computer.
A database server may or may not use the authentication services and access controls provided by the operating system ; it often uses the controls provided by the engine itself. Each user who is supposed to log in to the database to access information is bound by basic security features such as roles and rules.
We will first look at a few ways by which a hacker tries to gain control of a database, followed by a few protection mechanisms that we can deploy to address these problems :
1. Password Guessing :
Once the hackers gain control of the web server, they look for the application configuration files that typically contain the database server name, used ID and password to access it. If the file is encrypted or if the information is hard coded in the code for security reasons, hackers left with the option of guessing the password. Often the database system administrator’s account name remains unchanged, which solves half of the hackers problem! In most cases, the user-name and password are the same,; if not, hackers try guess work or brute force methods to gain access to the database. Depending upon the access level granted to the user, hackers gain control and are capable of doing further damage.
2. Packet Sniffing :
Modern hackers gain control of the network in which the database server is hosted, and deploy a sniffer to capture packets flowing to and from the database server. These packets are then analyzed to decipher user-name and password combinations, with the ultimate aim of getting those of the root database administrator.
3. Query String Manipulation :
When a web server gets a request from a browser , it receives it in the form of a Web URL containing query string parameter, which directs the Web application to the database to fetch the requested data.
4. Privilege elevation :
As mentioned that database servers use roles and rules to control the user’s access to a particular database, table or resource. Attackers usually inject scripts that try to find out the most generous level of privileges and upon finding one, use it to create further damage.
5. Vulnerability exploitation :
Like Operating Systems, database servers, too, have bugs resulting in serious vulnerabilities. Attackers can explore and exploit those either through the Web Layer, or by injecting a Trojan in the system. Hackers are always looking for unpatched database system for this purpose.
6. SQL Injection:
This attack is not a pure database attack, but in fact a fairly well known combination of database and Web vulnerability. The attackers use Web pages to plant the attack.
7. Database DoS :
As a typical denial of service attack, the attack plant a code either on a web server or the database server itself, which sends requests to the database in order to overwhelm it.