Questions tagged [databases]
Security related aspects of databases and database access.
762 questions
3
votes
2
answers
700
views
Are client certificates a secure way of having publicly facing SQL database?
Quick Context:
I often come across videos where people build apps using SQL database services alongside serverless functions (like AWS Lambda, Vercel, and others) without setting up a VPC to keep the ...
5
votes
2
answers
1k
views
Accessing a database publicly via HTTPS API vs. native but with client certificates
There are database services offering access to the database via a HTTPS API, such as Neon and Algolia. This is great for serverless environments, but from a security standpoint, I’m curious if this ...
0
votes
1
answer
67
views
Is encrypting REST exposed database identifiers a bad idea?
At the end of Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet it says
Avoid encrypting identifiers as it can be challenging to do so securely.
On login I store a cryptographically generated ...
- 103
3
votes
1
answer
3k
views
Is this database exploitable?
I'm starting out as a bug bounty hunter and found a website that might have a problem yet I'm unsure if its exploitable or not.
When sending any payload that contains % I get an error:
Invalid query ...
- 33
1
vote
0
answers
61
views
Is a TPM protected datastore available/possible/desirable?
It seems technically plausible to me that one could implement some form of data store where the individual data points are protected by the encryption provided by the Trusted Platform Module available ...
- 447
4
votes
1
answer
468
views
putting database mongod.conf under $HOME/web-server/. instead of /etc/
Would there be any security concerns saving mongod.conf to $HOME/web-server/mongod.conf instead of /etc/mongod.conf ?
If the config was under $HOME/web-server/mongod.conf would that mean someone (or a ...
- 211
0
votes
1
answer
88
views
How can I securely store a sensitive user attribute used for account lookup?
At $work we need to store a sensitive attribute of a user (say SSN - so, short and with a small keyspace) and look up the user based on this attribute when data is submitted into our system. We cannot ...
- 739
0
votes
0
answers
357
views
MariaDB SQL Injection
I'm doing a website PT lab and I'm trying to figure out SQL vulnerability in MariaDB.
After some scanning I found the /api/ path, and one of them gives the desired SQL
I found out that ' gives me the ...
- 1
2
votes
1
answer
1k
views
Offline, multi-machine, 2-factor authentication information vault?
I think this should be the right SE, apologies otherwise
I have been researching ways to be more careful with how I handle important documents and credentials, but everything I found sounded ...
- 215
1
vote
1
answer
297
views
Storing TOTP keys
I am working on a application which requires session token to commence trading activities. This will be hosted on a cloud based Linux VM (Ubuntu) and a managed MySQL database.
Session token are ...
- 111
0
votes
0
answers
316
views
Accidently used --flush-session --batch in sqlmap tool. Need help!
I was working on a target where sqlmap detected boolean based time blind injection. Everything was working perfect but you know it was time blind injection so I knew that this is going to take forever ...
- 41
0
votes
1
answer
181
views
Why is the boot key used to access the encrypted SAM database hashes?
A quick something I’ve been wondering: why is the boot key used to access the encrypted SAM database hashes, (and not another key,) and also what encryption mechanism is actually used to encrypt the ...
- 4,735
0
votes
2
answers
334
views
How do databases/companies change their hashing algorithm? [duplicate]
Ok- so you all probably know that a hash is used to help secure a stored password in a database, if it was stolen.
When a user logs in, and enters a password, it gets hashed, and then matched to a ...
- 4,735
1
vote
1
answer
182
views
Library to securely expose query language to end user?
I have a DB that I would like to expose to end users for flexible search through their data. Currently using Elastic, but not tied to that: I can internally transform the data in any way to enable ...
0
votes
1
answer
380
views
OAuth2: Storing temp values in session vs database
I have implemented OAuth2 for a web app. Everything is stored in the session, and I am switching this to a database. This makes sense for the subject and roles, but it also includes the temporary ...
- 101