ORMs name mapping security issue

0
votes

Question: if using UI field name like/same as some specified "names of database table fields" on the end-user side for the logged in and authorized user, a security problem called "database schema disclosure" or other security problems that lead to the critical or medium security issue (penetration test issues)?

The sample JPA code in Java

@Entity
@Table(name = "SCHCLASS01”)
public class CLASS01{

    @Id
    @Column(name = "TBLNUM", nullable = false, precision = 0)
    private Short tblnum;

    
    @Basic
    @Column(name = "TBLNAME", nullable = true, length = 255)
    private String tblname;
 …

Issue: Security group claims that "there should be no recognizable relationship" be between the names of the fields\tables names in the database and the names\URLs that are provided to the authorized end-user (names used in the Json file for passing data) They have no problem with the contents of the fields and have only announced the name of the fields cause to "Database Scheme Disclosure”

It should be noted that the software is only available on the internal network and the system is basically a reporting system that has a UI / backend whose UI is available as REST and through the browser. Also, the user only has READ access to the database, which is also restricted by the database

If the answer is true, how can justify the CMSs and commercial software such as ERPs that contain confidential information and by purchasing a copy of this software can have the entire schema of their database?

1
securityjpaormpenetration-testing
Not sure the question or that it belongs here. Seems an organization put in rules that limit you from exposing table/column names as entity/property names through REST to your UI. Safety by obscurity as a best practice doesn't hurt, but doesn't seem to matter if a resource is named Employee or Person. ERP and commercial software jump through additional hoops to protect api that might allow unauthorized access to the data - You may know the resources and tables for the data, but are not exposed to api that allows you to access or probe for data in another customers system.Chris
the claim is about standards of security. I have no idea of the standard way of mapping to expose table/column names as entity/property names through REST to UI.afshar

1 Answers

1
votes

This is not a real security issue. It's like claiming that WordPress is insecure because you can download the source code and read the database schema from it. This kind of information can be useful to an attacker who's attempting to exploit a SQL injection vulnerability, but so can browsing the application and looking at the available functionality to try and guess the names of tables.

Ask your "security group" to explain and quantify the risk (in terms of the impact and likelihood the the confidentiality, integrity and availability of your application), and to justify why they consider this a "critical" or "medium" risk issue.