保護DataHogo
Security Encyclopedia/Database Connections
highCWE-319OWASP A02:2021

Unencrypted Database Connection

Your database connection doesn't use SSL/TLS, meaning all queries and results travel over the network in plaintext and can be intercepted.

How It Works

When your app connects to a remote database without SSL, every query — including those containing passwords, emails, and payment data — travels as readable text across the network. Anyone on the same network path (cloud provider internal networks, misconfigured switches) can capture this traffic with a packet sniffer like Wireshark. This is especially dangerous in cloud environments where internal traffic may cross shared infrastructure.

Vulnerable Code
// BAD: PostgreSQL connection without SSL
const pool = new Pool({
  connectionString: 'postgresql://user:pass@db.example.com:5432/mydb'
  // No ssl option — connection is unencrypted
});
Secure Code
// GOOD: always require SSL for remote database connections
const pool = new Pool({
  connectionString: process.env.DATABASE_URL,
  ssl: {
    rejectUnauthorized: true, // verify the server's certificate
    ca: process.env.DB_SSL_CERT // optional: pin the CA cert
  }
});

Real-World Example

A 2023 security audit of cloud-hosted SaaS apps found that 23% of database connections to remote PostgreSQL instances lacked SSL. In cloud environments, internal traffic between services often traverses shared networking infrastructure where traffic inspection is possible.

How to Prevent It

  • Always set ssl: { rejectUnauthorized: true } or sslmode=require in your connection configuration
  • Use connection strings that explicitly include sslmode=require: postgresql://user:pass@host/db?sslmode=require
  • Never connect to a remote database over port 5432/3306/27017 without SSL — localhost-only is the only exception
  • For managed databases (RDS, Cloud SQL, Supabase), use the SSL certificate they provide
  • Audit your connection strings in CI to catch accidentally missing SSL config before it reaches production

Affected Technologies

Node.jsPythonGo

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Database Publicly Accessible

critical

Your database is bound to 0.0.0.0 or exposed on a public IP without a VPC or firewall, making it directly reachable from the internet.

CWE-284OWASP A05:2021

Default Database Credentials

critical

Your database uses factory-default credentials like postgres:postgres, root:root, or admin:admin — the first thing any attacker tries.

CWE-1392OWASP A07:2021

Connection String with Inline Password

high

A database connection string with a plaintext password is hardcoded in your source code, committing your database credentials to version control.

CWE-312OWASP A02:2021

MongoDB Without Authentication

critical

Your MongoDB connection has no authentication credentials, allowing anyone who can reach the database port to read, modify, or delete all data.

CWE-306OWASP A07:2021