dbms Misconfiguration

Database Management System Misconfiguration

Overview of the Vulnerability

Database Management System (DBMS) misconfiguration can arise from software or hardware misconfigurations, vulnerabilities, or human error. DBMS misconfigurations can result in an attacker performing Denial of Service (DoS) attacks, injection attacks, buffer overflows, malware, and attacks performed on backup databases. These attacks can result in an attacker gaining access to the database and potentially read or write access to its contents.

Business Impact

DBMS misconfigurations can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also lead to indirect financial loss due to intellectual property theft, industry regulated fines, and breach investigation activities and customer notification as a result of an attacker gaining and exploiting access to the DBMS. The severity of the business impact depends on the privilege level of access gained by an attacker.

Steps to Reproduce

  1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

  2. Use a browser to the vulnerable functionality: {{value}}

  3. Use Web Proxy to intercept the request

  4. Navigate to the vulnerable functionality {{value}}

  5. Forward the following request to the endpoint:

{{request}}

  1. Observe that the database has the following misconfiguration: {{value}}.

Proof of Concept (PoC)

The screenshot(s) below demonstrates the misconfiguration:

{{screenshot}}

Recommendation(s)

Database security is multi-tiered, relying on a number of best practices to keep the business’s data secure. The following should be kept in mind:

  • Databases should have sufficient physical security. Both on premise and cloud-based databases should be located within a secure environment

  • All data at rest and in transit should be encrypted with accordance to best practices

  • administrative and network access controls should be managed on the principle of least privilege and these controls should be part of a regular audit and review process

  • Software and hardware should be maintained inside a regular maintenance and review lifecycle

  • All security controls should be part of an organization wide monitoring and audit review lifecycle

PreviousCookie Scoped To Parent DomainNextExcessively Privileged User dba

Last updated