Dailydave mailing list archives
Re: Quick thread on SQLi
From: Jamie Riden <jamie.riden () gmail com>
Date: Wed, 7 Mar 2012 17:12:55 +0000
On 7 March 2012 16:01, Dave Aitel <dave () immunityinc com> wrote:
I know it's been a decade, and everyone is sick of talking about SQLi, but none-the-less, I was chatting with a bunch of people about it at RSA and I wanted to throw out a metric to see if we can get consensus. The metric is this: How many websites have remote anonymous SQLi as a percentage. Obviously you're going to find more SQLi if you have authentication, or are doing static analysis on their code. But that's almost unfair. So let's just look at: "Can be found remotely by someone with a minimum of time and effort". My theory is 5%, and one of the companies who does this also thought 5% sounded reasonable. I think it's an interesting number to have, and if anyone wants to chime in, feel free!
One in twenty doesn't seem too far off in my experience. However,I'm not sure how representative the sites I see are of the Internet as a whole, that is the tricky bit. To guess, I think if you ran sqlmap against websites at random, you'd be seeing something like 3-8% vulnerable. cheers, Jamie -- Jamie Riden / jamie () honeynet org / jamie.riden () gmail com http://uk.linkedin.com/in/jamieriden _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com http://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Quick thread on SQLi Dave Aitel (Mar 07)
- Re: Quick thread on SQLi allison nixon (Mar 07)
- Re: Quick thread on SQLi Mary Landesman (Mar 07)
- Re: Quick thread on SQLi Jamie Riden (Mar 07)
- Re: Quick thread on SQLi Tom Brennan (Mar 07)
- Re: Quick thread on SQLi Michal Zalewski (Mar 08)
- Re: Quick thread on SQLi Dave Aitel (Mar 08)
- Re: Quick thread on SQLi Thomas Ptacek (Mar 08)
- Re: Quick thread on SQLi Michal Zalewski (Mar 08)
- Re: Quick thread on SQLi Dean Pierce (Mar 09)
- Re: Quick thread on SQLi Wim Remes (Mar 09)
- Re: Quick thread on SQLi Thomas Ptacek (Mar 09)
- Re: Quick thread on SQLi Nate Lawson (Mar 09)
- Re: Quick thread on SQLi Dave Aitel (Mar 08)
- Re: Quick thread on SQLi allison nixon (Mar 07)