Dailydave mailing list archives

Re: Quick thread on SQLi

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 7 Mar 2012 12:24:49 -0800

The metric is this: How many websites have remote anonymous SQLi as a
percentage.


What's a "website"? A self-contained UI? A DNS label? A box that some
webserver runs on?

In any case, if you have a complex web app that uses SQL, and you
don't use prepared statements (both of these criteria are common), I
think your odds of having a discoverable vulnerability are a lot
higher than speculated in this thread. I'd say 50%+.

I pulled this out of thin air, based on anecdotal first-hand
experience. I.e., it's about as substantiated as any other number
we'll see here ;p

But a more pertinent question is this: if you are an organization that
uses SQL with no special engineering controls, what are the odds that
at least one of your web servers will be affected by SQLi? And that's
probably uncomfortably close to 100%.

/mz
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
http://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

Quick thread on SQLi Dave Aitel (Mar 07)
- Re: Quick thread on SQLi allison nixon (Mar 07)
  - Re: Quick thread on SQLi Mary Landesman (Mar 07)
- Re: Quick thread on SQLi Jamie Riden (Mar 07)
- Re: Quick thread on SQLi Tom Brennan (Mar 07)
- Re: Quick thread on SQLi Michal Zalewski (Mar 08)
  - Re: Quick thread on SQLi Dave Aitel (Mar 08)
    - Re: Quick thread on SQLi Thomas Ptacek (Mar 08)
    - Re: Quick thread on SQLi Michal Zalewski (Mar 08)
    - Re: Quick thread on SQLi Dean Pierce (Mar 09)
    - Re: Quick thread on SQLi Wim Remes (Mar 09)
    - Re: Quick thread on SQLi Thomas Ptacek (Mar 09)
    - Re: Quick thread on SQLi Nate Lawson (Mar 09)