This issue of failing to remove the proper column extracts from data returned by API operations created via code reuse requires really detailed table security to even begin to prevent. Aside from GRANT and REVOKE, I'm not sure ANSI SQL offers any other access control statements. Various technology-specific extensions to the DAL, DDL and DML (Data Access, Data Definition and Data Modification Languages) may exist depending on the RDBMS and DBA. However, even the most comprehensive security policies/constraints aren't going to stop application business logic errors--no excuses can be made for the developers there.
Thanks to Bugcrowd as well as Mr. Peter Yaworski .
Great talk Peter! Your a treat in webhacking and security in general.
Thank you Peter, this lesson really expanded my way of hunting.
This issue of failing to remove the proper column extracts from data returned by API operations created via code reuse requires really detailed table security to even begin to prevent. Aside from GRANT and REVOKE, I'm not sure ANSI SQL offers any other access control statements. Various technology-specific extensions to the DAL, DDL and DML (Data Access, Data Definition and Data Modification Languages) may exist depending on the RDBMS and DBA. However, even the most comprehensive security policies/constraints aren't going to stop application business logic errors--no excuses can be made for the developers there.
You are so sweet like the hacker who saved the internet marcus hutchins.
your ideas stil dangourase ✌ still high