Comment by thaumasiotes
2 months ago
> If something doesn't enable people to attack a system, but is merely one of the valuable things you could get from that system, it does not jeopardize that system under Illinois law.
The problem I have with this is that the schema isn't something an attacker recovers for its own sake. It's something the attacker recovers in order to further their attack. This necessarily means that it does enable people to attack the system. That's the only value an attacker sees in it.
> Again: this part of the case is settled. We didn't lose at the State Supreme Court because the court was worried there was jeopardy
Doesn't matter to the discussion; the court, Supreme or trial, can be wrong as easily as it can be right.
I don't understand your argument. If I have a SQLI, I can, as you acknowledge, fetch the schema. So what does it matter if the schema is published a priori? All that matters is whether I have SQLI.
No, as other comments in the thread have pointed out, you can easily have an SQLI that doesn't send information back to you. You may find value in changing what's in the database even if you can't read from it.
If you do have the ability to retrieve information, then one of the first things you'll do is retrieve the schema.
And the reason you'll retrieve the schema, if you can, is that it facilitates the attacks you actually want to make. It has no value to you other than enabling your attacks. This observation seems sufficient to answer the question "does knowing the schema enable attacks?".
There is a whole sub-field of software security dedicated to retrieving information from SQL injections that don't directly return results. This is not a plausible objection.
2 replies →