Dailydave mailing list archives
Re: Quick thread on SQLi
From: Wim Remes <wremes () gmail com>
Date: Thu, 8 Mar 2012 21:13:09 +0100
michael, Thanks for bringing sense into this discussion. A metric isn't a metric until you know what you measure. for what it is worth, I understand that webapp should better be "entity scanned" as it would cover both app.domain.com and www.domain.com/app . It may be a useful metric for vendors to proof relevancy, from a owner point of view... what does it mean? and how much is good enough? Cheers, W On 08 Mar 2012, at 20:17, Michal Zalewski <lcamtuf () coredump cx> wrote:
There are many SQLI patterns that are hard for automated tools to find. This is an obvious point, so I'm sorry to pedantic, but I think a survey based on automated scanning is a misleading starting point for the discussion.Well, the definition of a web application is a surprisingly challenging problem, too. This is particularly true for any surveys that randomly sample Internet destinations. Should all the default "it works!" webpages produced by webservers be counted as "web applications"? In naive counts, they are, but analyzing them for web app vulnerabilities is meaningless. In general, at what level of complexity does a "web application" begin, and how do you measure that when doing an automated scan? Further, if there are 100 IPs that serve the same www.youtube.com front-end to different regions, are they separate web applications? In many studies, they are. On the flip side, is a single physical server with 10,000 parked domains a single web application? Some studies see it as 10,000 apps. Heck, is www.google.com a web application, or a collection of several hundred web apps? In my view, it's the latter, but how do you tell with a script? Would it be considered a single application were it running on a single physical machine? The intuitive answer is "no", but then, from the perspective of SQLi or an RCE bug, there is a difference of sorts. There's more... are foo.blogspot.com and bar.blogspot.com separate "web applications"? If not, then what about *.appspot.com? How does an automated tool determine the difference between these environments? The list goes on... In such cases, manually constructed and carefully vetted data is actually quite likely to be more meaningful than any automated studies. /mz _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com http://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com http://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Quick thread on SQLi Dave Aitel (Mar 07)
- Re: Quick thread on SQLi allison nixon (Mar 07)
- Re: Quick thread on SQLi Mary Landesman (Mar 07)
- Re: Quick thread on SQLi Jamie Riden (Mar 07)
- Re: Quick thread on SQLi Tom Brennan (Mar 07)
- Re: Quick thread on SQLi Michal Zalewski (Mar 08)
- Re: Quick thread on SQLi Dave Aitel (Mar 08)
- Re: Quick thread on SQLi Thomas Ptacek (Mar 08)
- Re: Quick thread on SQLi Michal Zalewski (Mar 08)
- Re: Quick thread on SQLi Dean Pierce (Mar 09)
- Re: Quick thread on SQLi Wim Remes (Mar 09)
- Re: Quick thread on SQLi Thomas Ptacek (Mar 09)
- Re: Quick thread on SQLi Nate Lawson (Mar 09)
- Re: Quick thread on SQLi Dave Aitel (Mar 08)
- Re: Quick thread on SQLi allison nixon (Mar 07)