Config files : Insecure data transmission: Database

Using an unencrypted connection when communicating with a database server allows an attacker to carry out a man in the middle attack. This can lead to complete transferred data confidentiality loss.

Using HTTPS, which is based on HTTP and SSL / TLS, helps to protect the transferred data against unauthorized access and modification. It is recommended to use HTTPS for all cases of data transfer.

If “Persist Security Info” is set to “true”, sensitive information such as the password is stored in the database connection string, which could pose a security risk if this information becomes available to attackers. Possible ways to exploit such a vulnerability could include:

• Gaining access to the application configuration files where the connection string is stored.
• Gaining access to application logs where the connection string may be recorded.
• Exploiting a vulnerability in an application to gain access to the connection string at runtime.
• Application exploitation to execute malicious code in the context of a user accessing the connection string.
• Interception of network traffic containing the connection string.