[WEB SECURITY] SQL injection and N tier Architecture

The Dead th3d34d at gmail.com
Mon Feb 4 20:23:30 EST 2013


Hello!

It depends! And I think you mean DMZ architecture as well, right?

When you have a structure with 3 tiers, in case some attacker
compromises the web application layer, if it configured properly he
wouldn't have access to the database (in theory) and access to
appserver will be restricted. If he compromises the application server
through webapp, big chances he gets access to the database.
If you web application layer is isolated on a DMZ and an attacker
compromises it, then he would be isolated in DMZ (theory and depending
on proper configuration). If he compromises your application (app
server) and if your App is in internal network along with your
database, then he would compromise not only your app but probably your
database and even your internal network.

Talking specific about SQL injection, it doesn't add any kind of
protection. As said before, prepared statements are the solution.

TH3D34D

On Mon, Feb 4, 2013 at 10:59 PM, Infosec <infosecm at gmail.com> wrote:
> I know SQL injection is code issue.
>
> The purpose of my question is, why three tiers is more secure than two tiers?
> What three-tier will protected me from?
>
> Than you all.
>
>
> On Feb 5, 2013, at 3:51 AM, Jim Manico <jim at manico.net> wrote:
>
>> I second that notion.
>>
>> https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
>>
>> - Jim
>>
>>> You are barking up the wrong tree. SQL injection is a coding issue, tell your devs to use parameterized queries.
>>>
>>> -phil
>>> @bsdwiz
>>>
>>> On Feb 4, 2013, at 4:56 PM, Infosec <infosecm at gmail.com> wrote:
>>>
>>>> Hello,
>>>>
>>>> I need to know how the different architecture will effect on application security.
>>>> For example:
>>>>
>>>> A. Web server and Database server
>>>> B. web server , Application server and Database server
>>>>
>>>> How much the above architectures secure from SQL injection?
>>>>
>>>> I know multi-tier is more secure, but I need more explination.
>>>> Multi-tier is more secure, but still doesn't prevent SQL injection, isn't?
>>>>
>>>>
>>>> Regards,
>>>> _______________________________________________
>>>> The Web Security Mailing List
>>>>
>>>> WebSecurity RSS Feed
>>>> http://www.webappsec.org/rss/websecurity.rss
>>>>
>>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>>
>>>> WASC on Twitter
>>>> http://twitter.com/wascupdates
>>>>
>>>> websecurity at lists.webappsec.org
>>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>> _______________________________________________
>>> The Web Security Mailing List
>>>
>>> WebSecurity RSS Feed
>>> http://www.webappsec.org/rss/websecurity.rss
>>>
>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>>
>>> WASC on Twitter
>>> http://twitter.com/wascupdates
>>>
>>> websecurity at lists.webappsec.org
>>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org



More information about the websecurity mailing list