[Dailydave] Quick thread on SQLi

Dave Aitel dave at immunityinc.com
Wed Mar 7 11:01:58 EST 2012

I know it's been a decade, and everyone is sick of talking about SQLi,
but none-the-less, I was chatting with a bunch of people about it at RSA
and I wanted to throw out a metric to see if we can get consensus.

The metric is this: How many websites have remote anonymous SQLi as a
percentage. Obviously you're going to find more SQLi if you have
authentication, or are doing static analysis on their code. But that's
almost unfair. So let's just look at: "Can be found remotely by someone
with a minimum of time and effort".

My theory is 5%, and one of the companies who does this also thought 5%
sounded reasonable. 

I think it's an interesting number to have, and if anyone wants to chime
in, feel free!

INFILTRATE 2013 January 10th-11th in Miami - the world's best offensive information security conference.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120307/a46bae8b/attachment.sig>

More information about the Dailydave mailing list