TABLE OF CONTENTS Pen testing a database is similar to pen testing a network, which is to say there is no specific recipe. There are, however, certain basic skills that, when combined with a healthy dose of creativity, will result in a competent test. We will discuss the basic database technologies and discuss the tools and methods used to assess database security.
As a rule of thumb, the implementation of security to protect a system is commensurate with the value of the data. The concept of data is sometimes lost when it comes to penetration testing. Most of the information about how to perform penetration testing is how to "own" the network or "own" the server or "own" some device. Become domain administrator or root and the game is over! Then the penetration tester delivers his report on the network security posture and how to fix it. What if the network isn't the ultimate target? Better yet, what if the server is secure but the database isn't? What then?
In summary, we will discuss the following:
What is a database?
What are the "big" databases and how are they different?
What tools can I use to test a database?
Can you show me an example?
It is important to understand the fundamentals of databases to be able to assess them and penetrate them. When performing a penetration test of a database, if you don't know what you are seeing, you won't be able to take full advantage of it. This...
