Hackers will target database weaknesses in web applications because, for example, it's the only method for retrieving data out of that database. The database itself is normally not accessible from the untrusted network (the other side of the firewall). This is not always the case, of course, since the SQL slammer outbreak of 2003 demonstrated that plenty of organizations allowed direct database access to their Microsoft SQL Servers from Internet connections. Further, social engineering attacks are a far more effective means of harvesting data from databases. An attacker gains access to someone from the inside that can pull information from the database and feed it to her on the outside.

Since hackers normally cannot attack the database directly, they must encapsulate their attack via other means. The most direct network route to accomplish this is to attack the applications that are accessing this database. The attacker may be interested in gaining access to the data to sell it in the underground economy, for competitive intelligence, or foreign espionage. The attacker also may wish to Trojan the database with his own code, allowing full takeover of the database platform to launch further attacks, disrupt confidentiality, change transactions, or deny access to it altogether (denial of service). The SQL slammer worm of 2003 was an example of this, as the attacker ...