Dailydave mailing list archives
Re: Quick thread on SQLi
From: Tom Brennan <tomb () owasp org>
Date: Wed, 7 Mar 2012 12:35:14 -0500
6.9% of our 300 forensics cases at SpiderLabs was result of sqli if that is a indicator of compromise likelihood *plug* 2012 Global Security Report http://www.trustwave.com/GSR - Page #8 27% is noted in the WASC WHID report that Trustwave SpiderLabs the project sponsor released in Feb 7 2012. For further information about the WHID, refer to http://projects.webappsec.org/Web-Hacking-Incident-Database or *plug* https://www.trustwave.com/global-security-report page #30 of the report includes pretty pictures <grin> For additional reference and tools: https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005) IMHO anonymous SQLi is a threshold of pain... attackers in my experience are (3) groups, a) indiscriminate worm/bot traversing the internet looking for any and all victims (daily it seems by my honeypots..) b) human armed with a commercial push button tool that is intelligent to first create a userID and password to auth to the website they want to play with today.... c) most of the readers of this list that will work hours, days until mission debrief on a shoehorn into the target. So the Metric around "The metric is this: How many websites have remote anonymous SQLi as a percentage." is a nice to have but they will and should be eaten by the bear-bot ;) a second metric about with creds takes us into a wild breakout of industry type and language discussions and i could pull some numbers from our 2000 manual tests https://www.trustwave.com/global-security-report and WHS does a great job calling that out from there view of the world *plug* https://www.whitehatsec.com/resource/stats.html#winter11stats **BTW** Nice job at RSA! ~brennan On Mar 7, 2012, at 11:01 AM, Dave Aitel wrote:
I know it's been a decade, and everyone is sick of talking about SQLi, but none-the-less, I was chatting with a bunch of people about it at RSA and I wanted to throw out a metric to see if we can get consensus. The metric is this: How many websites have remote anonymous SQLi as a percentage. Obviously you're going to find more SQLi if you have authentication, or are doing static analysis on their code. But that's almost unfair. So let's just look at: "Can be found remotely by someone with a minimum of time and effort". My theory is 5%, and one of the companies who does this also thought 5% sounded reasonable. I think it's an interesting number to have, and if anyone wants to chime in, feel free! -- INFILTRATE 2013 January 10th-11th in Miami - the world's best offensive information security conference. www.infiltratecon.com _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com http://lists.immunityinc.com/mailman/listinfo/dailydave
Semper Fi, Tom Brennan International Board of Directors NYC/NJ Chapter Leader OWASP Foundation (t) 973-202-0122 (f) 973-506-1517 (e) tomb () owasp org (w) http://www.owasp.org
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com http://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Quick thread on SQLi Dave Aitel (Mar 07)
- Re: Quick thread on SQLi allison nixon (Mar 07)
- Re: Quick thread on SQLi Mary Landesman (Mar 07)
- Re: Quick thread on SQLi Jamie Riden (Mar 07)
- Re: Quick thread on SQLi Tom Brennan (Mar 07)
- Re: Quick thread on SQLi Michal Zalewski (Mar 08)
- Re: Quick thread on SQLi Dave Aitel (Mar 08)
- Re: Quick thread on SQLi Thomas Ptacek (Mar 08)
- Re: Quick thread on SQLi Michal Zalewski (Mar 08)
- Re: Quick thread on SQLi Dean Pierce (Mar 09)
- Re: Quick thread on SQLi Wim Remes (Mar 09)
- Re: Quick thread on SQLi Thomas Ptacek (Mar 09)
- Re: Quick thread on SQLi Nate Lawson (Mar 09)
- Re: Quick thread on SQLi Dave Aitel (Mar 08)
- Re: Quick thread on SQLi allison nixon (Mar 07)