Comment by Volundr
2 months ago
I'm not an attacker, just a boring old software dev. If there's an SQL Injection I'd say all bets are off re: schema.
That said I've definitely worked on applications where knowing the schema could help you exfill data in the absence of a full injection. The most obvious being a query that's constructed based on url parameters, where the parameters aren't whitelisted.
So I actually do agree that the schema could potentially be of marginal benefit to the attacker.
Wouldn't admitting this in court pin you with some sort of negligence? (if you knew having a schema revealed would compromise your app in some way).
"Defense in depth" is an easy argument to make. I sure hope I don't have any SQL injection holes, but I can't prove it with 100% certainty.
I can't imagine how the schema would reveal SQL injection holes. Maybe other holes, though. Any poor choices for PKs, dumb use of MD5 computed fields, insecure random, misuse of NULL, weird uniqueness constraints (this also ties back to NULLs), vulnerable extensions, wrong timestamp type, too-small integer type, varchar limits, predictable index speed...
Edit: More NULL, or maybe lack thereof cause they use the string "NULL" instead? https://news.ycombinator.com/item?id=20676904
3 replies →
This is the city government here. The people arguing the case didnt write the code and dont have time to look through all their code but one thing they do know is that it was written by monkeys. They probably have some level of reason to believe their are SQL injections available in the code.