Dailydave mailing list archives

Quick thread on SQLi

From: Dave Aitel <dave () immunityinc com>
Date: Wed, 07 Mar 2012 11:01:58 -0500

I know it's been a decade, and everyone is sick of talking about SQLi,
but none-the-less, I was chatting with a bunch of people about it at RSA
and I wanted to throw out a metric to see if we can get consensus.

The metric is this: How many websites have remote anonymous SQLi as a
percentage. Obviously you're going to find more SQLi if you have
authentication, or are doing static analysis on their code. But that's
almost unfair. So let's just look at: "Can be found remotely by someone
with a minimum of time and effort".

My theory is 5%, and one of the companies who does this also thought 5%
sounded reasonable. 

I think it's an interesting number to have, and if anyone wants to chime
in, feel free!

-- 
INFILTRATE 2013 January 10th-11th in Miami - the world's best offensive information security conference.
www.infiltratecon.com

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
http://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

Quick thread on SQLi Dave Aitel (Mar 07)
- Re: Quick thread on SQLi allison nixon (Mar 07)
  - Re: Quick thread on SQLi Mary Landesman (Mar 07)
- Re: Quick thread on SQLi Jamie Riden (Mar 07)
- Re: Quick thread on SQLi Tom Brennan (Mar 07)
- Re: Quick thread on SQLi Michal Zalewski (Mar 08)
  - Re: Quick thread on SQLi Dave Aitel (Mar 08)
    - Re: Quick thread on SQLi Thomas Ptacek (Mar 08)
    - Re: Quick thread on SQLi Michal Zalewski (Mar 08)
    - Re: Quick thread on SQLi Dean Pierce (Mar 09)
    - Re: Quick thread on SQLi Wim Remes (Mar 09)

(Thread continues...)