[Dailydave] Quick thread on SQLi

Thomas Ptacek tqbf at matasano.com
Thu Mar 8 15:17:30 EST 2012


Without meaning to open another can of worms:

Web application ~= code repository.

Obviously not a decidable problem for computer programs working with
deployment artifacts, but many consulting engagements do start out
with reliable(-enough) mappings.

I'm not so much wading into the specific statistic. Michal makes a
good point --- any automated survey hoping to provide an SQLI metric
does contend with either a meaningless definition of "application" or
an undecidable problem.

My only point is: even if you had a reliable classification of a huge
number of applications across many diverse customers (for instance,
Veracode might), any automated survey is bound to be biased in other
ways.

I think Michal and I agree that SQLI is much more prevalent than the
conventional wisdom dictates.

On Thu, Mar 8, 2012 at 1:17 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote:
>> There are many SQLI patterns that are hard for automated tools to
>> find. This is an obvious point, so I'm sorry to pedantic, but I think
>> a survey based on automated scanning is a misleading starting point
>> for the discussion.
>
> Well, the definition of a web application  is a surprisingly
> challenging problem, too. This is particularly true for any surveys
> that randomly sample Internet destinations.
>
> Should all the default "it works!" webpages produced by webservers be
> counted as "web applications"? In naive counts, they are, but
> analyzing them for web app vulnerabilities is  meaningless. In
> general, at what level of complexity does a "web application" begin,
> and how do you measure that when doing an automated scan?
>
> Further, if there are 100 IPs that serve the same www.youtube.com
> front-end to different regions, are they separate web applications? In
> many studies, they are. On the flip side, is a single physical server
> with 10,000 parked domains a single web application? Some studies see
> it as 10,000 apps.
>
> Heck, is www.google.com a web application, or a collection of several
> hundred web apps? In my view, it's the latter, but how do you tell
> with a script?
>
> Would it be considered a single application were it running on a
> single physical machine? The intuitive answer is "no", but then, from
> the perspective of SQLi or an RCE bug, there is a difference of sorts.
>
> There's more... are foo.blogspot.com and bar.blogspot.com separate
> "web applications"? If not, then what about *.appspot.com? How does an
> automated tool determine the difference between these environments?
>
> The list goes on... In such cases, manually constructed and carefully
> vetted data is actually quite likely to be more meaningful than any
> automated
> studies.
>
> /mz



-- 
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log


More information about the Dailydave mailing list