[WEB SECURITY] SQL injection and N tier Architecture
paul.johnston at pentest.co.uk
Tue Feb 5 04:10:58 EST 2013
Separating the web server from application server adds almost zero
practical security. Attacks against the application - such as SQL
injection - will simply pass through the web server, and have the same
impact at the application layer. Attacks against the web server may be
slightly mitigated, but the impact of a compromised web server is still
serious, and web server vulnerabilities are now rare - so this doesn't
help you much either.
It's notable that .Net (unlike Java) never persued the approach of
separating web and application server.
A variation of the three tier archiecture that does add some security is
to replace the web server with a web app firewall.
On 04/02/2013 22:56, Infosec wrote:
> I need to know how the different architecture will effect on
> For example:
> A. Web server and Database server
> B. web server , Application server and Database server
> How much the above architectures secure from SQL injection?
> I know multi-tier is more secure, but I need more explination.
> Multi-tier is more secure, but still doesn't prevent SQL injection, isn't?
Pentest - The Application Security Specialists
Paul Johnston - IT Security Consultant / Tiger SST
PenTest Limited - ISO 9001 (44/100/107029) / ISO 27001 (IS 558982)
Office: +44 (0) 161 233 0100
Mobile: +44 (0) 7817 219 072
Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy
Registered Number: 4217114 England & Wales
Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity