Autopsies

Gavel: Trust Boundary Collapse in Dynamic SQL Logic

A system autopsy examining how dynamic SQL construction in an internal auction platform invalidated PDO security assumptions and enabled credential disclosure.

trust-boundary dynamic-sql logic-flaw pdo

System Context

Gavel is an internal auction-style application designed to manage inventory and bidding workflows. The system relied on PDO prepared statements and was assumed to be protected against SQL injection through parameterization.

User-facing features included dynamic sorting and filtering to support operational flexibility.


Failed Design Assumption

The core assumption was that prepared statements alone were sufficient to enforce query safety. However, user-controlled input influenced query structure during runtime, crossing the boundary between data and execution logic.

As a result, the database executed queries whose behavior was partially defined by external input rather than fixed application intent.


Impact

This design flaw enabled disclosure of sensitive credential data, providing initial access to the system. Once access was established, additional weaknesses could be chained to escalate privileges and compromise system integrity.

The failure was rooted in logic design, not missing patches or outdated dependencies.


Why This Was Hard to Detect

The application behaved correctly under normal usage. Query syntax remained valid, and no obvious injection patterns appeared during routine testing.

Because the behavior aligned with legitimate workflows, abnormal execution paths blended into expected activity, allowing the flaw to survive security review.


Design Lessons

This case demonstrates that:

  • Prepared statements protect values, not execution intent
  • Trust boundaries must be explicit and enforced structurally
  • Security guarantees must not depend on runtime interpretation

When execution logic becomes flexible, security becomes fragile.




Technical Proof

→ Technical proof and source analysis available on request.