[WEB SECURITY] SQL injection and N tier Architecture

Philippe Sevestre psevestre at gmail.com
Mon Feb 4 20:32:06 EST 2013


Hi,

There is a statement in your question that made me courious: is there any
published, numeric evidence that multi-tiered are less prone to sql
injections? This is the kind of recommendation I see people do all the time
based on - supposedly - better practices.

Since the flaw that allows a sql injection is always at the server with
direct access to the database, it makes no sense to me that additional
layers would make any difference in the overall hability to withstand an
attacker.

If anything, developers in charge of those intermediate layers are less
likely to implement proper input sanitization, since they it is not "their"
code that'll be blamed for any incident... OTOH, the "backend" developers
often assume that the middle tier will do all validation, a scenario prone
to massive breaches.

You _can_ recommend a multi-tiered architecture - but not using sql
injection "resistance" as an argument. For instance, a front-end server
might be more exposed to infra-structure issues, so if an attacker gets
access to it, he/she would automatically get access to the database too,
whereas in the multitiered case another successful attack would be required
to reach the database.

Note, however, that if the middle tier is owned by the attacker, sql
injections may not be necessary at all. He/she will act as a
men-in-the-middle, manipulating all data that flows through at his/her will.
Em 04/02/2013 21:11, "Infosec" <infosecm at gmail.com> escreveu:

> Hello,
>
> I need to know how the different architecture will effect on application
> security.
> For example:
>
> A. Web server and Database server
> B. web server , Application server and Database server
>
> How much the above architectures secure from SQL injection?
>
> I know multi-tier is more secure, but I need more explination.
> Multi-tier is more secure, but still doesn't prevent SQL injection, isn't?
>
>
> Regards,
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130204/b162db1b/attachment.html>


More information about the websecurity mailing list