Abstract:
The application is configured to communicate with its database server in plain text over unencrypted channels, making the communicated data vulnerable to interception via man-in-the-middle (MiTM) attacks.
Explanation:
The application communicates with its database server over unencrypted channels and may pose a significant security risk to the company and users of that application. In this case, an attacker can modify the user entered data or even execute arbitrary SQL commands against the database server.
Example 1: The following configuration causes the application to communicate with its database server over unencrypted channels:
<connectionStrings>
<add name="Test" connectionString="Data Source=210.10.20.10,1433; Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword;" providerName="System.Data.SqlClient" />
</connectionStrings>
Recommendations:
Most database servers offer encrypted alternatives on different ports that use SSL/TLS to encrypt all the data being sent over the wire. Always use these alternatives when possible.
Example 2: The following configuration causes the application to communicate with its database server over encrypted channels:
<connectionStrings>
<add name="Test" connectionString="Data Source=210.10.20.10,1433; Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword; Encrypt=yes;" providerName="System.Data.SqlClient" />
</connectionStrings>
0 comments:
Post a Comment