[Dailydave] Quick thread on SQLi

Thomas Ptacek tqbf at matasano.com
Thu Mar 8 12:27:02 EST 2012

There are many SQLI patterns that are hard for automated tools to
find. This is an obvious point, so I'm sorry to pedantic, but I think
a survey based on automated scanning is a misleading starting point
for the discussion.

Also, parameterized queries put a major dent in SQL mishaps, but
aren't a magic bullet. They're enough to keep trivial brochure sites
from harboring SQLI, but larger sites end up needing dynamic column
selection, pagination, sort ordering, query operators...

On Thu, Mar 8, 2012 at 10:54 AM, Dave Aitel <dave at immunityinc.com> wrote:
> 5% is WhiteHat's number -
> https://blog.whitehatsec.com/5-of-all-websites-have-had-at-least-1-sql-injection-vulnerability-without-needing-to-login/
> I think this number is probably good for a number of things: for example
> if your automated scanner is finding more or less than 5% on a large and
> diverse enough sample, you know how good it is relative to general state
> of the art. Likewise, if you have a large and diverse set of web apps,
> and you are finding less than 5% are vulnerable to SQLi, then your
> security posture may be better than average!
> Not that SQLi is "instant win" on all systems, as often people lock it
> down and you can't do much with it other than exfil a useless database.
> -dave
> On 3/7/12 3:24 PM, Michal Zalewski wrote:
>>> The metric is this: How many websites have remote anonymous SQLi as a
>>> percentage.
>> What's a "website"? A self-contained UI? A DNS label? A box that some
>> webserver runs on?
>> In any case, if you have a complex web app that uses SQL, and you
>> don't use prepared statements (both of these criteria are common), I
>> think your odds of having a discoverable vulnerability are a lot
>> higher than speculated in this thread. I'd say 50%+.
>> I pulled this out of thin air, based on anecdotal first-hand
>> experience. I.e., it's about as substantiated as any other number
>> we'll see here ;p
>> But a more pertinent question is this: if you are an organization that
>> uses SQL with no special engineering controls, what are the odds that
>> at least one of your web servers will be affected by SQLi? And that's
>> probably uncomfortably close to 100%.
>> /mz
> --
> INFILTRATE 2013 January 10th-11th in Miami - the world's best offensive information security conference.
> www.infiltratecon.com
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> http://lists.immunityinc.com/mailman/listinfo/dailydave

Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log

More information about the Dailydave mailing list