Highly sensitive data is stored in a database and is accessed by an application on a DMZ server. The disk
drives on all servers are fully encrypted. Communication between the application server and end-users is also
encrypted. Network ACLs prevent any connections to the database server except from the application server.
Which of the following can still result in exposure of the sensitive data in the database server?
Theft of the physical database server
The question discusses a very secure environment with disk and transport level encryption and access control
lists restricting access. SQL data in a database is accessed by SQL queries from an application on the
application server. The data can still be compromised by a SQL injection attack.
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL
statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is
either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not
strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but
can be used to attack any type of SQL database.