If you’re planning on taking the Security+ exam, you should have a basic understanding of common attacks related to different types of servers. This includes transitive access attacks and client-side attacks.
For example, can you answer this question?
Q. Your organization hosts a web site within a DMZ and the web site accesses a database server in the internal network. ACLs on firewalls prevent any connections to the database server except from the web server. Database fields holding customer data are encrypted and all data in transit between the web site server and the database server are encrypted. Which of the following represents the GREATEST risk to the data on the server?
A. Theft of the database server
B. XML injection
C. SQL injection
D. Sniffing
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Transitive Access and Client-Side Attacks
Transitive access relationships refer to trusts, such as between two servers. They allow the two servers to share data. However, without additional security controls such as input validation, this trust relationship can allow unauthorized personnel to access restricted data. SQL injection attacks are a type of transitive access attack performed from the client side using a web browser.
As an example, consider the following figure. Homer is able to access the web server, and the web server is able to access the database server. However, even though Homer is not able to access the database server directly, he might be able to access the database server using transitive access via his web browser.
Protected database server
Security Controls
The following security controls are in place:
- FW1. Rules in the access control list (ACL) of FW1 open ports 80 and 443 allowing HTTP and HTTPS traffic, respectively.
- FW2. Microsoft SQL Server uses port 1433, so a rule in the ACL of FW2 allows traffic from the web server to the database server over port 1433. FW2 blocks all other traffic using port 1433.
- Encryption of data at rest. Encryption on the database server protects confidential customer data such as credit card information. Administrators commonly encrypt the fields holding this data, but don’t encrypt the entire database. This protects the data if thieves steal the database server, or if an attacker copies the entire database file.
- Trust relationship between web server and database server. This trust relationship allows the web server to query the database server and retrieve data. This trust relationship also ensures the database application decrypts data at rest before sending it to the web server.
- Data in transit between the web server and the database server. Transport Layer Security (TLS) encrypts data in transit between the web server and database server. This prevents an attacker from reading data captured with a protocol analyzer in a sniffing attack.
- Data in transit between the customer and the web server. HTTPS encrypts sensitive data between the customer and the web server. This also prevents sniffing attacks.
All of these security controls provide a strong defense-in-depth strategy with several layers of security. However, they aren’t enough.
If the application on the web server isn’t using input validation techniques, an attacker can use a SQL injection attack from the client side. The SQL injection attack uses transitive access to get to the database server through the web server.
In addition to explaining a client-side attack using transitive access, this also provides a great reminder that security is never done. Network and database administrators have implemented a strong defense-in-depth strategy. However, if web application developers don’t implement security controls such as input validation, attackers can bypass all of the security controls and access the data.
Remember this
A client-side attack uses an application on the client computer, such as a web browser. A transitive access attack attempts to access a back-end server through another server. A SQL injection attack is an example of a transitive access attack that can bypass many other security controls.
Q. Your organization hosts a web site within a DMZ and the web site accesses a database server in the internal network. ACLs on firewalls prevent any connections to the database server except from the web server. Database fields holding customer data are encrypted and all data in transit between the web site server and the database server are encrypted. Which of the following represents the GREATEST risk to the data on the server?
A. Theft of the database server
B. XML injection
C. SQL injection
D. Sniffing
Answer is C. A SQL injection attack allows an attacker to send commands to the database server to access data. Encryption protects it on the server and in transit, but the web server can decrypt it.
Because the data in the database server is encrypted, theft of the server isn’t a significant risk.
There aren’t any indications that the database server is replying with Extensible Markup Language (XML) data, so an XML injection attack isn’t a risk.
Because data is encrypted while in transit, sniffing isn’t a significant risk.
