Collaborate Disseminate
You are a Security Engineer at an e-commerce company. The company is running a public facing marketing website.
The following is the website’s technology stack:
HTML/CSS and JavaScript
PHP
MySQL
Linux with Apache
Scenario
Th… Continue reading Website based Attack [on hold]
You are a Security Engineer at an e-commerce company. The company is running a public facing marketing website.
The following is the website’s technology stack:
HTML/CSS and JavaScript
PHP
MySQL
Linux with Apache
Scenario
Th… Continue reading Website based Attack [on hold]
I’m a dev working on an app that has a monolith DB (PostgreSQL). We are using a third party provider for AUTH and MFA, but want to move MFA back into our control. The plan was to move the encrypted MFA secrets into our monol… Continue reading Separate Auth DB for Increased Security
Assuming I implement the literal SQL-injection on an HTTP endpoint with a read-only user that limits execution time to e.g. some amount of seconds. What’s the worst that could happen? I know simple attacks could be just flood… Continue reading What kinds of attacks are possible with credentials to a read-only Postgres user?
When we are creating a new connection with pgAdmin, we are presented with an option to save the password into our computer, so we won’t have to retype it every time we want to connect with the database.
I can’t find in any document how th… Continue reading How secure is pgAdmin to save database password?
Since yesterday afternoon my production Postgres database hosted on Amazon EC2 has been logging thousands of errors (averaging one or two per second) that all follow the format:
sql_error_code = 28000 FATAL: no pg_hba.conf … Continue reading Thousands of 28000 "no pg_hba.conf entry for host" logs from Postgres – is this an attack?
Microsoft today announced that it has acquired Citus Data, a company that focused on making PostgreSQL database faster and more scalable. Citus’ open source PostgreSQL extension essentially turns the application into a distributed database and while there has been a lot of hype around the NoSQL movement and document stores, relational database — and especially PostgreSQL […] Continue reading Microsoft acquires Citus Data
I’m looking for the security of sql injection.
sql = select * from where field01 = ‘1’ AND field = ‘where’
example01 (‘sql’, ‘where’)
The above sentence is looking to check that ‘where’ goes in once and ‘and’ goes in twic… Continue reading How can I check SQL statements?
Metasploit is currently embedding a version of PostgreSQL,
/opt/metasploit-framework/embedded/bin/postgres -D /home/ecarroll/.msf4/db -p 5433
I would like it to use my distro’s version (why have two servers resident?),
pg… Continue reading Can metasploit be configured to use my distro’s copy of PostgreSQL?
I was trying https://server/shared/sendemail?sendto=” and got this response:
Database operation “0or1row” failed
(exception ERROR, “ERROR: invalid input syntax for integer:”””
LINE 4: where user_id = ‘”‘;
… Continue reading SQL injection on PostgreSQL in integer field?