[WEB SECURITY] SQL injection and N tier Architecture

Marc Wickenden marc at offensivecoder.com
Tue Feb 5 04:29:09 EST 2013

On 5 Feb 2013, at 09:10, Paul Johnston <paul.johnston at pentest.co.uk> wrote:

> Separating the web server from application server adds almost zero practical security. 

Separating the different tiers does have benefits though, as with everything a lot depends on your particular application and any vulnerabilities it may have. The main things which spring to mind with regards to separating your web/app layer from your database is mitigation from attacks where you can leverage SQL Injection to write content into the web server Document Root or some other web accessible location. This, in my experience, is one of the quickest ways to gain flexible, arbitrary/shell access to a host.

If you separate this attack becomes infeasible or at least, much harder. Depending on how you segment your network it should also mean you can prevent outbound connections from your database server to the Internet. This gives you a reasonable degree of protection from reverse shells, etc.

Separating the web and app layers is a slightly different proposition and for me the benefits are even more dependent on your particular environment. A simple example would be those companies who might run something like Tomcat/JBoss and want to use the web/jmx console. By deploying the app layer to a separate host you can gain more network layer control over who can access those admin interfaces. There is significantly less risk than hosting it on an Internet-facing server. Less potential for human error exposing it accidentally to the horde of bots crawling for /admin, etc.

Bottom line is, separating out does not solve security problems per se, but it gives you options and raises the bar. The longer you can keep an attacker busy and the noisier you can make them once they've got an initial toehold in your app, the more chance you've got of reducing the impact of the attack.

My 2p.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130205/99822e34/attachment-0003.html>

More information about the websecurity mailing list