Questions tagged [postgresql]
PostgreSQL is an open-source RDBMS.
57 questions
1vote
0answers
24views
Using database_to_xml in SQL Injection on PostgreSQL doesn't show data
we have found SQL injection on a PostgreSQL database. Stacked and UNION payloads. We have created a table to store data as needed and the UNION to extract either from the table or to pull out data ...
- 307
4votes
1answer
1kviews
Is using `crypt` in PostgreSQL for password comparison secure against timing attacks?
I'm currently using PostgreSQL with the pgcrypto extension to store and verify user passwords. When a user logs in, I compare the entered password with the stored hash using the following query: ...
- 45
0votes
1answer
1kviews
How to do character escaping in PostgreSQL to prevent a SQL injection attack?
I want to prevent SQL injection attacks in a rather abstract application. Therefore I want to escape all user provided input as described here. The other options provided on this page don't fit in my ...
- 113
1vote
2answers
4kviews
AWS RDS Database access from Github Actions
I have a Postgres database hosted in AWS RDS. The rest of my application is also hosted on AWS. The database migrations, like adding a new column, are done by Prisma, a node package. The pipeline is ...
- 111
0votes
0answers
127views
Using different public keys on the same (encrypted) column
Generally, when encrypting sensitive-data columns, we use the same public key for all the rows. I have noticed that it is possible to use different public keys for different rows. For example, ...
- 423
3votes
2answers
188views
Any obvious pitfalls of modeling access control policies using subject, scope, object?
Context A small web application with REST API and postgres as db, that has users, documents and teams. A user can do basic CRUD operations on document. A user is always a part of a team. A team is ...
- 33
25votes
6answers
9kviews
Is a sha256 hash of a unix timestamp a strong password
I am setting up a postgres db that will never be used by humans. In fact, I really don't need to know it myself ever. I assumed that just using a 256bit(64 alphanumeric chars) hash of a unix timestamp ...
0votes
0answers
93views
Is there much practical security value in using passwords/usernames for postgres instances used on development machines?
So say you are developing multiple different projects for different clients and want your developers to use postgres on their development machine (i.e. localhost connection in the development ...
1vote
0answers
2kviews
Bypass sql injection filtering (whitespace, /, *) [closed]
I want to bypass a sql injection waf that replaces /,* and whitespaces. This is a payload I want use : ?parameter=22321'union select CAST(normal_column AS bigint),'a','b' from normal_table-- But the ...
- 11
3votes
1answer
705views
Does "row-level security" actually serve a security purpose?
Row-level security is often an industry requirement in secure environments, such as those dealing with payment cards. It's supported by most major relational databases, including PostgreSQL, Microsoft ...
- 5,468
0votes
1answer
319views
Postgres.app security on a Mac?
I'm wondering if there are any security concerns with installing PostgreSQL on a Mac using the app? https://www.postgresql.org/download/macosx/ I had a look at the data folder and it's owned by me ...
- 95
2votes
0answers
219views
Pros and Cons of hashing password on DB or on API server interacting with db [closed]
I'm trying to understand what is good/bad about hashing a password on a database (like postgres) as opposed to hashing it on an api server and then sending it hashed to the db. Can anyone speak on ...
0votes
1answer
404views
Escaping out of a select query to run a statement that modifies data in the database
Lets say you use SELECT * FROM ($query) sub where you can swap $query to any query you wish. Is there a way to escape this select and run a command that modifies data in the database?
0votes
1answer
3kviews
Postgres password hash crack
I installed the lastest version of PostgreSQL (13.2) to understand it better and I used the command SELECT usename, passwd from pg_shadow; to extract the hash with the default username postgres but I ...
- 27
0votes
1answer
138views
How to use Gutmann method SQL?
Is it possible to use the Gutmannr method for a single SQL cell?
