[WEB SECURITY] SQL injection and N tier Architecture

Paul Johnston paul.johnston at pentest.co.uk
Tue Feb 5 04:10:58 EST 2013


Hi,

Separating the web server from application server adds almost zero
practical security. Attacks against the application - such as SQL
injection - will simply pass through the web server, and have the same
impact at the application layer. Attacks against the web server may be
slightly mitigated, but the impact of a compromised web server is still
serious, and web server vulnerabilities are now rare - so this doesn't
help you much either.

It's notable that .Net (unlike Java) never persued the approach of
separating web and application server.

A variation of the three tier archiecture that does add some security is
to replace the web server with a web app firewall.

Paul


On 04/02/2013 22:56, Infosec wrote:
> Hello,
>
> I need to know how the different architecture will effect on
application security.
> For example:
>
> A. Web server and Database server
> B. web server , Application server and Database server
>
> How much the above architectures secure from SQL injection?
>
> I know multi-tier is more secure, but I need more explination.
> Multi-tier is more secure, but still doesn't prevent SQL injection, isn't?
-- 
Pentest - The Application Security Specialists

Paul Johnston - IT Security Consultant / Tiger SST
PenTest Limited - ISO 9001 (44/100/107029) / ISO 27001 (IS 558982)

Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072

Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130205/c691f243/attachment.html>


More information about the websecurity mailing list