Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Database Security

Database Security

Section titled “Database Security”

5 automated security scanners

SQL Database Security

Section titled “SQL Database Security”

Purpose: The SQL Database Security Scanner evaluates the security posture of SQL databases by detecting exposed MySQL/PostgreSQL/MSSQL instances, testing for SQL injection vulnerabilities, analyzing error messages, validating database authentication, and identifying misconfigurations that could lead to unauthorized access or SQL injection attacks.

What It Detects:

  • SQL Database Port Detection: Tests common ports (3306 for MySQL, 5432 for PostgreSQL, 1433 for MSSQL) to identify if the database services are exposed on the network.
  • SQL Injection Testing: Checks for vulnerabilities in input fields across various endpoints by injecting SQL commands and observing error messages or behavior changes.
  • Error Message Analysis: Analyzes verbose error messages to deduce database details, potentially revealing server architecture and version information.
  • Authentication Validation: Tests default credentials and authentication mechanisms to ensure they are secure and not easily guessable.
  • Database Fingerprinting: Identifies the type of SQL database (MySQL, PostgreSQL, MSSQL) and its version by probing common ports and analyzing responses.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) that represents the target application or server hosting the SQL databases.

Business Impact: SQL database vulnerabilities can lead to critical attacks, including unauthorized access to sensitive data and systems, bypassing authentication and authorization controls, and manipulation of queries through SQL injection. These issues pose significant risks to both data integrity and availability in an organization’s IT infrastructure.

Risk Levels:

  • Critical: High risk where the scanner identifies open database ports without proper authentication or detects SQL injection vulnerabilities that can be exploited with high confidence.
  • High: Medium to high risk scenarios, such as exposure of detailed error messages which might lead to guessing other parts of the system’s configuration or schema.
  • Medium: Moderate risk findings include detection of default credentials and potential misconfigurations in database settings.
  • Low: Low severity issues are typically informational, like detecting a non-standard port that is not actively exposed but could be a point of interest for future security audits.
  • Info: Informational findings pertain to the discovery of common ports used by SQL databases, which might indicate active or historical use without immediate security implications.

Example Findings:

  1. A MySQL database instance was detected on port 3306 without authentication, allowing unauthenticated access and potential SQL injection attacks.
  2. The MSSQL server version is disclosed in error messages, indicating a lack of proper configuration to hide system information.

This documentation provides a clear overview of the scanner’s purpose, what it detects, required inputs, business impact, risk levels, and examples of findings that might be flagged by the tool.

Data Warehouse Security

Section titled “Data Warehouse Security”

Purpose: The Data Warehouse Security Scanner evaluates data warehouse security by detecting publicly accessible analytics endpoints, testing BI tool exposure, checking for unprotected data export APIs, validating query interface security, and identifying weaknesses in data warehouse access controls that could enable unauthorized data access or exfiltration.

What It Detects:

  • BI Tool Detection: Identifies Tableau/PowerBI/Looker endpoints, detects exposed dashboards, checks for public data visualizations, tests for authentication requirements, and flags publicly accessible analytics.
  • Data Export API Analysis: Tests CSV/JSON export endpoints, checks for bulk data download, verifies export authentication, tests rate limiting on exports, and detects unrestricted data access.
  • Query Interface Security: Identifies SQL query interfaces, tests GraphQL endpoints, checks for API query capabilities, verifies query parameter validation, and detects SQL injection vectors.
  • Authentication Validation: Tests authentication on BI endpoints, checks API key requirements, verifies session management, tests for anonymous access, and detects weak access controls.
  • Data Exposure Analysis: Checks for sensitive data in responses, tests metadata endpoint exposure, verifies schema information leakage, detects PII in API responses, and flags excessive data disclosure.

Inputs Required:

  • domain (string): Fully qualified domain name (e.g., ekkatha.com)

Business Impact: Data warehouse vulnerabilities expose sensitive business intelligence, which can lead to the leak of confidential metrics, unauthorized data access or exfiltration through unprotected export APIs, and security breaches via weak query interfaces. This directly impacts the confidentiality, integrity, and availability of critical business information.

Risk Levels:

  • Critical: Unprotected export APIs enable mass data exfiltration, exposing sensitive financial and operational data that could lead to significant financial loss or competitive disadvantage.
  • High: Weak query interfaces allow SQL injection, which can be exploited by malicious users to gain unauthorized access to aggregated data stored in the data warehouse.
  • Medium: Exposed BI dashboards leak confidential metrics, potentially compromising strategic business decisions and operational efficiency.
  • Low: Metadata endpoint exposure and schema information leakage may lead to limited data discovery but does not pose a significant risk without other vulnerabilities present.
  • Info: Testing for anonymous access and session management primarily provides informational findings about potential improvements in user authentication practices.

Example Findings:

  1. “Unauthenticated dashboard access detected on Tableau endpoints, exposing confidential metrics.”
  2. “Public data export functionality detected on PowerBI endpoint, allowing unrestricted CSV downloads.”

This documentation has been adapted from the internal README of a tool focused on assessing the security posture of data warehouses. The purpose is to provide clear, actionable insights for users about what the scanner does and how it detects vulnerabilities in BI tools, export APIs, query interfaces, authentication mechanisms, and data exposure within a data warehouse environment.

Database Activity Monitoring

Section titled “Database Activity Monitoring”

Purpose: The Database Activity Monitoring Scanner is designed to assess the capabilities of database activity monitoring within an organization. It aims to identify and evaluate various aspects such as audit logging, query logging, access monitoring, and integration with monitoring tools to ensure comprehensive coverage of potential security threats and unauthorized activities.

What It Detects:

  • Audit Logging Detection: The scanner checks for the presence of audit log endpoints, verifies the availability of activity log APIs, detects any missing audit capabilities, and identifies the logging framework in use.
  • Query Logging Analysis: It tests for query log exposure, examines slow query logging, looks for error log endpoints, evaluates retention policies related to logs, and assesses access controls on log data.
  • Access Monitoring: The scanner checks for public access to log APIs, verifies authentication logging mechanisms, identifies tracking of failed login attempts, monitors connection activities, and flags any unmonitored access points.
  • Monitoring Tool Integration: It recognizes the presence of popular monitoring tools (Datadog, Splunk), explores SIEM integration capabilities, tests alerting endpoints for real-time monitoring, and evaluates the overall coverage provided by these tools.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) that represents the target database system under assessment.

Business Impact: Insufficient database monitoring can lead to significant security gaps, including but not limited to:

  • Missing query logs hinder forensic investigations and make it difficult to trace unauthorized access or malicious activities.
  • Unmonitored access by insiders poses a threat of insider threats and data breaches that could go undetected for extended periods.
  • Lack of audit trails can mask critical security incidents, delaying effective incident response and recovery efforts.
  • Weak monitoring capabilities fail to detect potential SQL injection attempts, which are crucial in safeguarding database integrity against malicious exploitation.
  • Poor logging practices result in delayed detection of unauthorized access or suspicious activities, potentially leading to more severe consequences for the organization.

Risk Levels:

  • Critical: The scanner identifies critical issues such as missing audit logs and unmonitored access points that could lead to significant security breaches and non-detection of malicious activities.
  • High: High risks are associated with exposure of query logs, slow query logging, and inadequate retention policies which can provide valuable insights into potential unauthorized queries or insider threats but may not be immediately apparent without proper monitoring.
  • Medium: Medium risk findings include the presence of error logs that could indicate system instabilities or malicious activities but do not pose an immediate critical threat to data security.
  • Low: Low risks pertain to informational aspects such as detection of failed login attempts and basic log access controls, which while important for operational visibility, do not significantly impact core security posture.
  • Info: Informational findings relate to the presence of monitoring tools and alerting mechanisms that are generally beneficial but currently undetected or inadequately configured within the scope of this scanner’s capabilities.

Example Findings:

  • The database system under assessment does not have any audit logs enabled, which could severely limit forensic investigation capabilities post a breach.
  • Query logs reveal detailed information about user interactions with the database that are accessible without proper authentication, posing significant risk for unauthorized data access and potential insider threats.
  • Access logs indicate multiple failed login attempts from various IP addresses, suggesting possible brute-force attacks or credential stuffing scenarios that should be closely monitored.

NoSQL Database Security

Section titled “NoSQL Database Security”

Purpose: The NoSQL Database Security Scanner is designed to evaluate and report on the security posture of NoSQL databases such as MongoDB, Redis, Cassandra, and CouchDB. It aims to identify potential vulnerabilities that could lead to unauthorized access, data exposure, and system compromise. By detecting exposed instances, testing for injection vulnerabilities, checking authentication mechanisms, validating access controls, and identifying misconfigurations, this scanner helps in securing the database environments against malicious threats.

What It Detects:

  • NoSQL Database Detection: The scanner tests for common ports associated with NoSQL databases (e.g., 27017 for MongoDB, 6379 for Redis) to identify if any services are exposed on these ports.
  • Authentication Testing: It checks whether MongoDB instances do not require credentials, verifies the presence of a password requirement for Redis connections, and assesses the enforcement of authentication mechanisms across different databases.
  • NoSQL Injection Testing: The scanner probes API endpoints for signs of NoSQL injection vulnerabilities by manipulating query parameters and JSON payloads.
  • Access Control Validation: It lists database collections or tables to check if unauthorized access is possible, verifies read and write operations are restricted appropriately, and flags any excessive permissions that could lead to data exfiltration.
  • Configuration Security: The scanner checks for the presence of admin interfaces, identifies default configurations, ensures proper network binding settings, and flags any insecure configurations that might be exploited by attackers.

Inputs Required:

  • domain (string): A fully qualified domain name (e.g., ekkatha.com) which is used to resolve IP addresses and scan for database services.

Business Impact: NoSQL databases, especially MongoDB and Redis, are known for their flexibility in data storage and retrieval without strict application logic. Any exposure of these databases can lead to significant data leakage or unauthorized access, compromising the integrity and confidentiality of sensitive information stored within them. This not only affects direct business operations but also sets a precedence for potential future cyber threats that could be exploited by malicious actors.

Risk Levels:

  • Critical: Exposed MongoDB instances without authentication allow unauthenticated users to view all database contents, which is highly critical as it leads to complete data exposure. Redis running without any password set allows remote code execution, posing a significant threat to the system’s integrity and availability.
  • High: NoSQL injection vulnerabilities bypass application security measures, potentially leading to unauthorized access or manipulation of sensitive data stored in databases. Default credentials being accessible enable immediate login by anyone with this information, which is another high-risk scenario.
  • Medium: Misconfigurations such as leaving admin interfaces open without proper authentication can be exploited by insiders or attackers to gain unauthorized access. Weak password policies and lack of two-factor authentication are also considered medium risk factors.
  • Low: Informational findings like the presence of default configurations might not pose immediate risks but should still be addressed for enhanced security practices.

Example Findings:

  • A MongoDB instance is detected on an unsecured port without any authentication, allowing anyone to access and view all database contents.
  • Redis running on a standard port is found without any password set, facilitating remote code execution by unauthenticated users.

Database Encryption

Section titled “Database Encryption”

Purpose: The Database Encryption Scanner evaluates database encryption implementation by testing TLS/SSL on database connections, checking for encrypted data transmission, validating certificate configurations, detecting unencrypted database endpoints, and identifying weaknesses in database encryption that could expose sensitive data in transit or at rest.

What It Detects:

  • Test database port SSL/TLS support
  • Check TLS version enforcement
  • Verify cipher suite strength
  • Test certificate validation
  • Detect weak encryption protocols
  • Test common database ports (3306, 5432, 27017, 6379)
  • Check for encrypted connections
  • Verify port filtering
  • Test for plaintext connections
  • Detect exposed database services
  • Check database SSL certificates
  • Verify certificate chains
  • Test certificate expiration
  • Check for self-signed certificates
  • Detect certificate issues
  • Test encrypted connection enforcement
  • Check for fallback to plaintext
  • Verify connection string security
  • Test for connection encryption
  • Detect insecure configurations
  • Check for encryption mentions
  • Test for SSL/TLS indicators
  • Verify encryption documentation
  • Detect encryption claims
  • Flag missing encryption statements

Inputs Required:

  • domain (string): Fully qualified domain name (e.g., ekkatha.com)

Business Impact: Database encryption failures expose sensitive data, which can lead to man-in-the-middle attacks, weak TLS versions being vulnerable to downgrade attacks, missing certificate validation allowing impersonation, exposed database ports leaking unencrypted data, and poor encryption enabling traffic interception. These issues pose significant risks to the confidentiality, integrity, and availability of databases and the sensitive information they contain.

Risk Levels:

  • Critical: This includes situations where there are critical vulnerabilities such as unencrypted connections, weak TLS versions, missing certificate validation, exposed database ports, or poor encryption that could lead to severe data exposure.
  • High: High severity findings involve significant risks with potential impacts on the security and integrity of databases, including issues like unsupported TLS versions or cipher suites that do not meet minimum security standards.
  • Medium: Medium severity findings are those where there is a moderate risk of exposing sensitive information through insecure configurations or unencrypted data transmission.
  • Low: Low severity findings indicate minimal risks with less impact on database security but still warrant attention to improve overall encryption practices and compliance with security best practices.
  • Info: Informational findings provide basic insights into the current state of database encryption without significant immediate risk, useful for tracking progress in enhancing data protection.

Example Findings:

  1. A database server is found to be using an outdated TLS version that is vulnerable to known attacks.
  2. An unencrypted connection to a MySQL database exposes sensitive information to potential interception.

This user-facing documentation provides a clear and concise overview of the scanner’s purpose, what it detects, required inputs, business impact, risk levels, and examples of findings in a format that is both informative for security teams and understandable for stakeholders concerned with data protection.