Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Quick thread on SQLi

From: Jamie Riden <jamie.riden () gmail com>
Date: Wed, 7 Mar 2012 17:12:55 +0000
On 7 March 2012 16:01, Dave Aitel <dave () immunityinc com> wrote:

I know it's been a decade, and everyone is sick of talking about SQLi,
but none-the-less, I was chatting with a bunch of people about it at RSA
and I wanted to throw out a metric to see if we can get consensus.

The metric is this: How many websites have remote anonymous SQLi as a
percentage. Obviously you're going to find more SQLi if you have
authentication, or are doing static analysis on their code. But that's
almost unfair. So let's just look at: "Can be found remotely by someone
with a minimum of time and effort".

My theory is 5%, and one of the companies who does this also thought 5%
sounded reasonable.

I think it's an interesting number to have, and if anyone wants to chime
in, feel free!


One in twenty doesn't seem too far off in my experience. However,I'm
not sure how representative the sites I see are of the Internet as a
whole, that is the tricky bit.

To guess, I think if you ran sqlmap against websites at random, you'd
be seeing something like 3-8% vulnerable.

cheers,
 Jamie
-- 
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
http://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: