Questions tagged [databases]
Security related aspects of databases and database access.
762 questions
3votes
2answers
695views
Are client certificates a secure way of having publicly facing SQL database?
Quick Context: I often come across videos where people build apps using SQL database services alongside serverless functions (like AWS Lambda, Vercel, and others) without setting up a VPC to keep the ...
5votes
2answers
1kviews
Accessing a database publicly via HTTPS API vs. native but with client certificates
There are database services offering access to the database via a HTTPS API, such as Neon and Algolia. This is great for serverless environments, but from a security standpoint, I’m curious if this ...
0votes
1answer
66views
Is encrypting REST exposed database identifiers a bad idea?
At the end of Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet it says Avoid encrypting identifiers as it can be challenging to do so securely. On login I store a cryptographically generated ...
- 103
3votes
1answer
3kviews
Is this database exploitable?
I'm starting out as a bug bounty hunter and found a website that might have a problem yet I'm unsure if its exploitable or not. When sending any payload that contains % I get an error: Invalid query ...
1vote
0answers
61views
Is a TPM protected datastore available/possible/desirable?
It seems technically plausible to me that one could implement some form of data store where the individual data points are protected by the encryption provided by the Trusted Platform Module available ...
- 447
4votes
1answer
467views
putting database mongod.conf under $HOME/web-server/. instead of /etc/
Would there be any security concerns saving mongod.conf to $HOME/web-server/mongod.conf instead of /etc/mongod.conf ? If the config was under $HOME/web-server/mongod.conf would that mean someone (or a ...
- 211
0votes
1answer
88views
How can I securely store a sensitive user attribute used for account lookup?
At $work we need to store a sensitive attribute of a user (say SSN - so, short and with a small keyspace) and look up the user based on this attribute when data is submitted into our system. We cannot ...
- 739
0votes
0answers
357views
MariaDB SQL Injection
I'm doing a website PT lab and I'm trying to figure out SQL vulnerability in MariaDB. After some scanning I found the /api/ path, and one of them gives the desired SQL I found out that ' gives me the ...
2votes
1answer
1kviews
Offline, multi-machine, 2-factor authentication information vault?
I think this should be the right SE, apologies otherwise I have been researching ways to be more careful with how I handle important documents and credentials, but everything I found sounded ...
1vote
1answer
296views
Storing TOTP keys
I am working on a application which requires session token to commence trading activities. This will be hosted on a cloud based Linux VM (Ubuntu) and a managed MySQL database. Session token are ...
- 111
0votes
0answers
315views
Accidently used --flush-session --batch in sqlmap tool. Need help!
I was working on a target where sqlmap detected boolean based time blind injection. Everything was working perfect but you know it was time blind injection so I knew that this is going to take forever ...
- 41
0votes
1answer
180views
Why is the boot key used to access the encrypted SAM database hashes?
A quick something I’ve been wondering: why is the boot key used to access the encrypted SAM database hashes, (and not another key,) and also what encryption mechanism is actually used to encrypt the ...
- 4,735
0votes
2answers
332views
How do databases/companies change their hashing algorithm? [duplicate]
Ok- so you all probably know that a hash is used to help secure a stored password in a database, if it was stolen. When a user logs in, and enters a password, it gets hashed, and then matched to a ...
- 4,735
1vote
1answer
182views
Library to securely expose query language to end user?
I have a DB that I would like to expose to end users for flexible search through their data. Currently using Elastic, but not tied to that: I can internally transform the data in any way to enable ...
0votes
1answer
380views
OAuth2: Storing temp values in session vs database
I have implemented OAuth2 for a web app. Everything is stored in the session, and I am switching this to a database. This makes sense for the subject and roles, but it also includes the temporary ...
- 101
