attack-tree.md

Attack Tree Analysis for go-sql-driver/mysql

Objective: Exfiltrate sensitive data, modify database records, or achieve denial-of-service (DoS) against the application by exploiting vulnerabilities or misconfigurations related to the go-sql-driver/mysql library and its interaction with the MySQL database.

Attack Tree Visualization

                                     [Attacker's Goal: Exfiltrate Data, Modify Records, or Cause DoS]
                                                    /                               |
------------------------------------------------------------------------------------------------------------------------
|                                                   |
[1. SQL Injection] [!]                          [2. Connection/Configuration Issues]
        |                                                   |
========|=========                               ---|---------------------------------
|       |                                       |       |
[1.1] [!]   [1.2] [!]                               [2.1] [!]   [2.2] [!]
Untrusted  Improper                               Cleartext  Insecure
Input to   Prepared                               Credentials  TLS/SSL
Query      Statements                             in Code/   Configuration
(e.g.,          (e.g.,                              Config
String         String
Concatenation) Concatenation)

Attack Tree Path: 1. SQL Injection [!]

• Overall Description: The most critical threat category. Exploits vulnerabilities where the application constructs SQL queries using untrusted input without proper sanitization or parameterization. go-sql-driver/mysql provides the tools (prepared statements) to prevent this, but it's the application's responsibility to use them correctly.

Attack Tree Path: 1.1 Untrusted Input to Query [!]

• Description: The application directly incorporates user-provided data into SQL queries using string concatenation or similar unsafe methods. This allows attackers to inject arbitrary SQL code.
  • Example:

    // VULNERABLE CODE!
    username := r.FormValue("username")
    query := "SELECT * FROM users WHERE username = '" + username + "'"
    rows, err := db.Query(query)

  • Likelihood: High (if precautions aren't taken; very common)
  • Impact: Very High (data exfiltration, modification, deletion, complete database compromise)
  • Effort: Low (many automated tools available)
  • Skill Level: Beginner (basic SQL knowledge sufficient)
  • Detection Difficulty: Medium (detectable with static/dynamic analysis, WAFs)
  • Mitigation:
    • Always use parameterized queries (prepared statements).
    • Example (Corrected):

      username := r.FormValue("username")
      query := "SELECT * FROM users WHERE username = ?"
      rows, err := db.Query(query, username)

    • Validate and sanitize all user input, even when using prepared statements (defense-in-depth).

Attack Tree Path: 1.2 Improper Prepared Statements [!]

• Description: The application attempts to use prepared statements, but does so incorrectly, still leaving it vulnerable to injection. This often happens when developers misunderstand how placeholders work.
  • Example (Incorrect):

    // STILL VULNERABLE!
    userInput := r.FormValue("userInput")
    query := fmt.Sprintf("SELECT * FROM products WHERE name LIKE '%%%s%%'", userInput) // String formatting BEFORE prepared statement
    rows, err := db.Query(query)

  • Likelihood: Medium (less common than 1.1, but still occurs)
  • Impact: Very High (same as 1.1)
  • Effort: Low to Medium
  • Skill Level: Intermediate (requires understanding of prepared statements)
  • Detection Difficulty: Medium to Hard (requires careful code review)
  • Mitigation:
    • Thoroughly review go-sql-driver/mysql documentation and examples.
    • Use placeholders (?) only for values, never for table names, column names, or SQL keywords.
    • Example (Corrected):

      userInput := r.FormValue("userInput")
      query := "SELECT * FROM products WHERE name LIKE ?"
      rows, err := db.Query(query, "%"+userInput+"%") // Concatenate wildcards with the *parameter*, not the query string.

    • Test with various malicious inputs to confirm effectiveness.

Attack Tree Path: 2. Connection/Configuration Issues

• Overall Description: Misconfigurations related to how the application connects to and interacts with the MySQL database.

Attack Tree Path: 2.1 Cleartext Credentials in Code/Config [!]

• Description: Storing database credentials (username, password, connection string) directly in the application's source code or in unencrypted configuration files.
  • Likelihood: Medium (unfortunately common)
  • Impact: Very High (complete database compromise)
  • Effort: Very Low (reading the code/config)
  • Skill Level: Beginner
  • Detection Difficulty: Easy (if code/config is accessible)
  • Mitigation:
    • Never store credentials in source code or unencrypted files.
    • Use environment variables.
    • Use a secure configuration management system (e.g., HashiCorp Vault, AWS Secrets Manager).
    • Ensure configuration files have appropriate file permissions.

Attack Tree Path: 2.2 Insecure TLS/SSL Configuration [!]

• Description: Connecting to the MySQL server without TLS/SSL encryption, or using weak ciphers/protocols, exposing the connection to eavesdropping and potential Man-in-the-Middle (MITM) attacks.
  • Likelihood: Medium (depends on deployment environment)
  • Impact: High (data interception, potential MITM)
  • Effort: Low to Medium (requires network access)
  • Skill Level: Intermediate (understanding of TLS/SSL)
  • Detection Difficulty: Medium (network monitoring)
  • Mitigation:
    • Always use TLS/SSL encryption for database connections.
    • Configure go-sql-driver/mysql to enforce TLS/SSL and use strong ciphers. Use the tls parameter in the DSN.
    • Verify the server's certificate (use tls=verify-full in the DSN if possible).
    • Example DSN: user:password@tcp(hostname:3306)/dbname?tls=preferred (or tls=verify-full)