Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Quick thread on SQLi

From: Tom Brennan <tomb () owasp org>
Date: Wed, 7 Mar 2012 12:35:14 -0500
6.9% of our 300 forensics cases at SpiderLabs was result of sqli if that is a indicator of compromise likelihood  
*plug* 2012 Global Security Report http://www.trustwave.com/GSR  - Page #8  27% is noted in the WASC WHID report that 
Trustwave SpiderLabs the project sponsor released in Feb 7 2012.  For further information about the WHID,  refer to 
http://projects.webappsec.org/Web-Hacking-Incident-Database or  *plug* https://www.trustwave.com/global-security-report 
 page #30 of the report includes pretty pictures <grin>

For additional reference and tools: https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OWASP-DV-005) 

IMHO anonymous SQLi is a threshold of pain... attackers in my experience are (3) groups, a) indiscriminate worm/bot 
traversing the internet looking for any and all victims (daily it seems by my honeypots..) b) human armed with a 
commercial push button tool that is intelligent to first create a userID and password to auth to the website they want 
to play with today.... c) most of the readers of this list that will work hours, days until mission debrief on a 
shoehorn into the target.  So the Metric around "The metric is this: How many websites have remote anonymous SQLi as a 
percentage." is a nice to have but they will and should be eaten by the bear-bot ;) a second metric about with creds 
takes us into a wild breakout of industry type and language discussions and i could pull some numbers from our 2000 
manual tests https://www.trustwave.com/global-security-report and WHS does a great job calling that out from there view 
of the world *plug* https://www.whitehatsec.com/resource/stats.html#winter11stats

**BTW** Nice job at RSA!

~brennan









On Mar 7, 2012, at 11:01 AM, Dave Aitel wrote:


I know it's been a decade, and everyone is sick of talking about SQLi,
but none-the-less, I was chatting with a bunch of people about it at RSA
and I wanted to throw out a metric to see if we can get consensus.

The metric is this: How many websites have remote anonymous SQLi as a
percentage. Obviously you're going to find more SQLi if you have
authentication, or are doing static analysis on their code. But that's
almost unfair. So let's just look at: "Can be found remotely by someone
with a minimum of time and effort".

My theory is 5%, and one of the companies who does this also thought 5%
sounded reasonable. 

I think it's an interesting number to have, and if anyone wants to chime
in, feel free!

-- 
INFILTRATE 2013 January 10th-11th in Miami - the world's best offensive information security conference.
www.infiltratecon.com


_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
http://lists.immunityinc.com/mailman/listinfo/dailydave


Semper Fi,

Tom Brennan
International Board of Directors 
NYC/NJ Chapter Leader
OWASP Foundation
(t) 973-202-0122
(f) 973-506-1517
(e) tomb () owasp org
(w) http://www.owasp.org





_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
http://lists.immunityinc.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: