Hacker News new | ask | show | jobs
by Volundr 484 days ago
I'm not an attacker, just a boring old software dev. If there's an SQL Injection I'd say all bets are off re: schema.

That said I've definitely worked on applications where knowing the schema could help you exfill data in the absence of a full injection. The most obvious being a query that's constructed based on url parameters, where the parameters aren't whitelisted.

So I actually do agree that the schema could potentially be of marginal benefit to the attacker.
1 comments
butlike 484 days ago
Wouldn't admitting this in court pin you with some sort of negligence? (if you knew having a schema revealed would compromise your app in some way).
link
default-kramer 484 days ago
"Defense in depth" is an easy argument to make. I sure hope I don't have any SQL injection holes, but I can't prove it with 100% certainty.
link
hot_gril 484 days ago
I can't imagine how the schema would reveal SQL injection holes. Maybe other holes, though. Any poor choices for PKs, dumb use of MD5 computed fields, insecure random, misuse of NULL, weird uniqueness constraints (this also ties back to NULLs), vulnerable extensions, wrong timestamp type, too-small integer type, varchar limits, predictable index speed...

Edit: More NULL, or maybe lack thereof cause they use the string "NULL" instead? https://news.ycombinator.com/item?id=20676904

link
default-kramer 484 days ago
> I can't imagine how the schema would reveal SQL injection holes.

It wouldn't. I'm just assuming that the thrust of the hypothetical negligence accusation was "The schema is useless unless you have SQL injection holes. So give us the schema or admit you are negligent!" But you're correct that there are other justifications one could make to keep the schema secret.

link
londons_explore 484 days ago
The schema can provide an insight into what the application developer was thinking when writing the code, which in turn can direct an attacker towards tricky corners where mistakes might have been made.
link
hot_gril 484 days ago
That's true.
link
HDThoreaun 483 days ago
This is the city government here. The people arguing the case didnt write the code and dont have time to look through all their code but one thing they do know is that it was written by monkeys. They probably have some level of reason to believe their are SQL injections available in the code.
link