Chapter 16. Attacking Application Architecture

Web application architecture is an important area of security that is frequently overlooked when appraising the security of individual applications. In commonly used tiered architectures, a failure to segregate different tiers often means that a single defect in one tier can be exploited to fully compromise other tiers and thereby the entire application.

A different range of security threats arises in environments where multiple applications are hosted on the same infrastructure, or even share common components of a wider overarching application. In these situations, defects or malicious code within one application can sometimes be exploited to compromise the entire environment and other applications belonging to different customers.

In this chapter, we will examine a range of different architectural configurations, and describe how you can exploit defects within application architectures to advance your attack.

Tiered Architectures

Many web applications use a multi-tiered architecture, in which the application's user interface, business logic, and data storage are divided between multiple layers, which may use different technologies and be implemented on different physical computers. A common three-tier architecture involves the following layers:

  • Presentation layer, which implements the application's interface.

  • Application layer, which implements the core application logic.

  • Data layer, which provides storage and processing of application ...

Get The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.