Here’s what I discovered as the most common methods for attacking a website database:
1- Crafted Code Injection – this technique falls within the conventional understanding, where an attacker will inject SQL statements via user input, cookies or server variables, in an attempt to have the rogue command passed to the backend database. If the database is not secured properly, the command may get successfully executed and lead to devastating results (eg. Dump of the database, data corruption, shutdown, etc.)
2- Resource Exhaustion – arguments and commands are passed at a high enough frequency to simply overwhelm the database so it cannot process legitimate transactions. The illegitimate arguments that are being passed may be invalid or just nonsensical, and therefore not executed upon, but they still require the database to review the input before discarding. By injecting a flood of these types of requests, the CPU load of the backend database starts to increase to the point it stops responding.
