Data exfiltration is the unauthorized extraction of information from a system. It is typically the end goal of an attack chain: after gaining access and locating valuable data, the attacker transfers it to a location they control. Exfiltration can involve customer records, credentials, intellectual property, financial data, or any other sensitive information.
How It Works
Exfiltration methods range from straightforward to highly creative. The simplest approach is a direct download through an exploited vulnerability. A SQL injection that dumps database contents, an SSRF that reads internal files and returns them in HTTP responses, or a compromised admin panel that allows data export all provide direct extraction paths.
When direct channels are monitored or blocked, attackers use covert methods. DNS exfiltration encodes stolen data in DNS query subdomains, sending information through a protocol that most firewalls allow freely. Data can be hidden in HTTP headers, embedded in image files, tunneled through WebSocket connections, or leaked through timing-based side channels. Out-of-band techniques use vulnerabilities like blind SSRF or blind XXE to force the target server to send data to an attacker-controlled endpoint.
In web application contexts, cross-site scripting (XSS) is a common exfiltration vector. A stored XSS payload can silently send session tokens, form data, or page content to an external server every time a victim views the affected page. Similarly, a compromised third-party script included on a page can harvest everything users type into forms.
Why It Matters
Exfiltration is where theoretical vulnerabilities become real-world breaches. An SQL injection vulnerability is a technical finding. An SQL injection that results in the extraction of 100,000 customer records is a data breach with legal, financial, and reputational consequences.
Defending against exfiltration requires layered controls: monitoring outbound traffic for anomalies, implementing data loss prevention measures, restricting egress network rules, and logging access to sensitive data. During security assessments, demonstrating a viable exfiltration path significantly elevates the severity of any vulnerability finding.
Need your application tested? Get in touch.