Exposed Database Connection String

The database is used as the main storage for sensitive data in the majority of products. Protecting the data your company collects and manages is essential. A proper security of your database can prevent the attack, which may lead to financial loss, reputational damage, destruction of customer’s trust, and non-compliance with governmental regulations.

A database connection string specifies information about the data source and the means of connecting to it. The connection strings are generally used by the application tier to connect to the backend database used for storing the application data. Even if the database connection string is properly secured, it reveals the information that could be abused.

The connection strings may include:

• Hostname or IP address of the server housing the database. The port number used for the connection.
• Type of the data source.
• Type of the technology used to communicate with the data source.
• Name of the database containing the data.
• Network libraries used for the connection.
• Username and password for the account used to authenticate to the database.
  

Leakage of sensitive data

The issue can be found in the source code on the client side.

It is hardly necessary for applications to disclose database connection strings to the clients. The reason for showing the database connection string on the user-visible pages should be reviewed. If possible, all the database connection strings need to be removed from the user-visible web pages.

• CWE-284
• CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

• https://cwe.mitre.org/data/definitions/284.html
• https://owasp.org/www-project-proactive-controls/v3/en/c3-secure-database