Highly sensitive data is stored in a database and is accessed by an application on a DMZ server.
The disk drives on all servers are fully encrypted. Communication between the application server
and end-users is also encrypted. Network ACLs prevent any connections to the database server
except from the application server. Which of the following can still result in exposure of the
sensitive data in the database server?

A.
SQL Injection

B.
Theft of the physical database server

C.
Cookies

D.
Cross-site scripting

Explanation:

The question discusses a very secure environment with disk and transport level encryption and
access control lists restricting access. SQL data in a database is accessed by SQL queries from
an application on the application server. The data can still be compromised by a SQL injection
attack.
SQL injection is a code injection technique, used to attack data-driven applications, in which
malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database
contents to the attacker). SQL injection must exploit a security vulnerability in an application’s
software, for example, when user input is either incorrectly filtered for string literal escape
characters embedded in SQL statements or user input is not strongly typed and unexpectedly
executed. SQL injection is mostly known as an attack vector for websites but can be used to
attack any type of SQL database.