[Dailydave] Quick thread on SQLi

Tom Brennan tomb at owasp.org
Wed Mar 7 12:35:14 EST 2012 

6.9% of our 300 forensics cases at SpiderLabs was result of sqli if that is a indicator of compromise likelihood  *plug* 2012 Global Security Report http://www.trustwave.com/GSR  - Page #8  27% is noted in the WASC WHID report that Trustwave SpiderLabs the project sponsor released in Feb 7 2012.  For further information about the WHID,  refer to http://projects.webappsec.org/Web-Hacking-Incident-Database or  *plug* https://www.trustwave.com/global-security-report  page #30 of the report includes pretty pictures <grin>

For additional reference and tools: https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005) 

IMHO anonymous SQLi is a threshold of pain... attackers in my experience are (3) groups, a) indiscriminate worm/bot traversing the internet looking for any and all victims (daily it seems by my honeypots..) b) human armed with a commercial push button tool that is intelligent to first create a userID and password to auth to the website they want to play with today.... c) most of the readers of this list that will work hours, days until mission debrief on a shoehorn into the target.  So the Metric around "The metric is this: How many websites have remote anonymous SQLi as a percentage." is a nice to have but they will and should be eaten by the bear-bot ;) a second metric about with creds takes us into a wild breakout of industry type and language discussions and i could pull some numbers from our 2000 manual tests https://www.trustwave.com/global-security-report and WHS does a great job calling that out from there view of the world *plug* https://www.whitehatsec.com/resource/stats.html#winter11stats

**BTW** Nice job at RSA!

~brennan









On Mar 7, 2012, at 11:01 AM, Dave Aitel wrote:

> I know it's been a decade, and everyone is sick of talking about SQLi,
> but none-the-less, I was chatting with a bunch of people about it at RSA
> and I wanted to throw out a metric to see if we can get consensus.
> 
> The metric is this: How many websites have remote anonymous SQLi as a
> percentage. Obviously you're going to find more SQLi if you have
> authentication, or are doing static analysis on their code. But that's
> almost unfair. So let's just look at: "Can be found remotely by someone
> with a minimum of time and effort".
> 
> My theory is 5%, and one of the companies who does this also thought 5%
> sounded reasonable. 
> 
> I think it's an interesting number to have, and if anyone wants to chime
> in, feel free!
> 
> -- 
> INFILTRATE 2013 January 10th-11th in Miami - the world's best offensive information security conference.
> www.infiltratecon.com
> 
> 
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> http://lists.immunityinc.com/mailman/listinfo/dailydave

Semper Fi,

Tom Brennan
International Board of Directors 
NYC/NJ Chapter Leader
OWASP Foundation
(t) 973-202-0122
(f) 973-506-1517
(e) tomb at owasp.org
(w) http://www.owasp.org




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120307/fcdb8805/attachment.html>

More information about the Dailydave mailing list