Skip to content

You have SQL injection on a production app and could dump the entire customer database to prove impact. What's the responsible proof?

Short answer

Prove the vulnerability without harming the client or hoarding their data: show you can read arbitrary data via the DB version, schema, or a single redacted sample, then stop. Dumping the full PII dataset creates breach-notification and data-handling liability for both parties. Dropping a table is destructive and well beyond proof-of-concept. Encrypting the database and demanding a bounty is extortion, not testing — it is a crime, not a finding.

The goal of a penetration test is to demonstrate risk so it can be fixed — not to actually realize that risk against the client. With SQL injection, you can prove the vulnerability conclusively without ever touching real customer data.

Why minimal demonstration is correct

Extract something that proves arbitrary read access but is harmless: the database version string, the current user, the schema, a COUNT(*) of a sensitive table, or a single record with sensitive fields redacted. That evidence is unambiguous — it shows you can read data you shouldn't — yet it leaves no PII in your hands and creates no new breach. This is data minimization applied to offensive work, and it is exactly what a mature tester does.

Why the other options are wrong

  • Dump the full customer database. The instant you exfiltrate real PII you have arguably caused a reportable data breach yourself, triggering notification duties under GDPR/CCPA and creating a custody-and-deletion liability for both you and the client. A bigger dump does not prove the bug any better than a row count does.
  • Drop a table. This is destructive and far outside proof-of-concept. Proving write access never requires damaging production data — you can demonstrate it more safely (e.g., a benign, reversible marker in a non-production-critical field, only if authorized).
  • Encrypt the database and demand a bounty. That is ransomware and extortion. It is a crime, full stop, and the opposite of the trust relationship a test depends on.

What an interviewer is probing

They want restraint and an understanding of liability. A weak candidate equates a dramatic dump with impressive impact. A strong one knows that the most professional proof is the smallest one that settles the question, because every extra byte of customer data you touch is risk you have imported onto yourself and your client.

Likely follow-ups

  • How do you prove write access exists without actually modifying or destroying data?
  • What data-protection obligations attach the moment you exfiltrate real PII?
  • How would you safely evidence the finding for the report?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.