4.4.1. Client, Server, and Database System Vulnerabilities
💡 First Principle: Attackers follow the path of least resistance, and the weakest component in a client-server-database architecture determines the security ceiling for the entire system — hardening one tier while neglecting another creates the illusion of security.
Client-Side Vulnerabilities
Clients are the most exposed components in any architecture because they operate in environments the organization does not control — employee laptops, personal mobile devices, public terminals.
| Vulnerability Category | Examples | Why It Persists |
|---|---|---|
| Browser-based attacks | XSS, drive-by downloads, malicious extensions, clickjacking | Browsers execute untrusted code by design |
| Mobile application flaws | Insecure local storage, hardcoded API keys, certificate pinning bypass | Rapid development cycles and app store pressure |
| Thick client weaknesses | DLL hijacking, local privilege escalation, reverse-engineerable logic | Legacy applications predating modern security |
| Social engineering entry | Phishing, pretexting, watering hole attacks | Humans are the vulnerability |
Server-Side Vulnerabilities
Misconfigurations remain the leading cause of server compromises. Default installations of web servers expose directory listings, debug endpoints, and administrative interfaces. Unpatched services create windows of exploitation — the average time from CVE publication to active exploitation has compressed to under 15 days for critical vulnerabilities. Default credentials persist in production more often than security professionals want to admit. Privilege escalation transforms a low-value compromise into a catastrophic one — a web server running as root means any application vulnerability immediately grants the attacker full system control.
Database Vulnerabilities
SQL injection remains the most prevalent database attack vector despite being well-understood for over two decades. Excessive privileges amplify every other vulnerability — when application service accounts have DBA-level access, SQL injection escalates from data theft to complete database control.
Inference and aggregation attacks represent a subtler threat unique to databases. Inference occurs when a user with access to non-sensitive individual data points deduces sensitive information through correlation. Aggregation occurs when combining permitted low-sensitivity records produces a high-sensitivity conclusion. Example: a university database allows querying average salary by department and headcount by department; when a department has only one person, the average salary is that person's salary. These attacks bypass access controls entirely because each individual query is authorized.
Patch Management and Vulnerability Scanning
Effective vulnerability management follows a lifecycle: Discovery (automated scanning) → Prioritization (CVSS + asset criticality + exploitability) → Remediation (patching or compensating controls) → Verification (re-scanning) → Reporting (trend analysis).
Credentialed scans versus uncredentialed scans represent a fundamental trade-off. Uncredentialed scans see only what an external attacker sees. Credentialed scans authenticate to the target and enumerate installed software, patch levels, and local configurations — typically finding 5-10x more vulnerabilities.
⚠️ Exam Trap: Inference and aggregation attacks are distinct concepts. Inference is deducing sensitive data from non-sensitive data through logical reasoning. Aggregation is combining multiple pieces of low-sensitivity data to produce high-sensitivity information. Both bypass traditional access controls because no individual query violates the access policy.
Reflection Question: Your vulnerability scan reports zero critical findings on a database server, but the scan was run without credentials. What categories of vulnerability would a credentialed scan likely reveal that the uncredentialed scan missed?
