[Dailydave] Quick thread on SQLi
Dave Aitel
dave at immunityinc.com
Thu Mar 8 11:54:21 EST 2012
5% is WhiteHat's number -
https://blog.whitehatsec.com/5-of-all-websites-have-had-at-least-1-sql-injection-vulnerability-without-needing-to-login/
I think this number is probably good for a number of things: for example
if your automated scanner is finding more or less than 5% on a large and
diverse enough sample, you know how good it is relative to general state
of the art. Likewise, if you have a large and diverse set of web apps,
and you are finding less than 5% are vulnerable to SQLi, then your
security posture may be better than average!
Not that SQLi is "instant win" on all systems, as often people lock it
down and you can't do much with it other than exfil a useless database.
-dave
On 3/7/12 3:24 PM, Michal Zalewski wrote:
>> The metric is this: How many websites have remote anonymous SQLi as a
>> percentage.
> What's a "website"? A self-contained UI? A DNS label? A box that some
> webserver runs on?
>
> In any case, if you have a complex web app that uses SQL, and you
> don't use prepared statements (both of these criteria are common), I
> think your odds of having a discoverable vulnerability are a lot
> higher than speculated in this thread. I'd say 50%+.
>
> I pulled this out of thin air, based on anecdotal first-hand
> experience. I.e., it's about as substantiated as any other number
> we'll see here ;p
>
> But a more pertinent question is this: if you are an organization that
> uses SQL with no special engineering controls, what are the odds that
> at least one of your web servers will be affected by SQLi? And that's
> probably uncomfortably close to 100%.
>
> /mz
--
INFILTRATE 2013 January 10th-11th in Miami - the world's best offensive information security conference.
www.infiltratecon.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20120308/744319ed/attachment.sig>
More information about the Dailydave
mailing list