Dailydave mailing list archives
Re: Quick thread on SQLi
From: Thomas Ptacek <tqbf () matasano com>
Date: Thu, 8 Mar 2012 11:27:02 -0600
There are many SQLI patterns that are hard for automated tools to find. This is an obvious point, so I'm sorry to pedantic, but I think a survey based on automated scanning is a misleading starting point for the discussion. Also, parameterized queries put a major dent in SQL mishaps, but aren't a magic bullet. They're enough to keep trivial brochure sites from harboring SQLI, but larger sites end up needing dynamic column selection, pagination, sort ordering, query operators... On Thu, Mar 8, 2012 at 10:54 AM, Dave Aitel <dave () immunityinc com> wrote:
5% is WhiteHat's number - https://blog.whitehatsec.com/5-of-all-websites-have-had-at-least-1-sql-injection-vulnerability-without-needing-to-login/ I think this number is probably good for a number of things: for example if your automated scanner is finding more or less than 5% on a large and diverse enough sample, you know how good it is relative to general state of the art. Likewise, if you have a large and diverse set of web apps, and you are finding less than 5% are vulnerable to SQLi, then your security posture may be better than average! Not that SQLi is "instant win" on all systems, as often people lock it down and you can't do much with it other than exfil a useless database. -dave On 3/7/12 3:24 PM, Michal Zalewski wrote:The metric is this: How many websites have remote anonymous SQLi as a percentage.What's a "website"? A self-contained UI? A DNS label? A box that some webserver runs on? In any case, if you have a complex web app that uses SQL, and you don't use prepared statements (both of these criteria are common), I think your odds of having a discoverable vulnerability are a lot higher than speculated in this thread. I'd say 50%+. I pulled this out of thin air, based on anecdotal first-hand experience. I.e., it's about as substantiated as any other number we'll see here ;p But a more pertinent question is this: if you are an organization that uses SQL with no special engineering controls, what are the odds that at least one of your web servers will be affected by SQLi? And that's probably uncomfortably close to 100%. /mz-- INFILTRATE 2013 January 10th-11th in Miami - the world's best offensive information security conference. www.infiltratecon.com _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com http://lists.immunityinc.com/mailman/listinfo/dailydave
-- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com http://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Quick thread on SQLi Dave Aitel (Mar 07)
- Re: Quick thread on SQLi allison nixon (Mar 07)
- Re: Quick thread on SQLi Mary Landesman (Mar 07)
- Re: Quick thread on SQLi Jamie Riden (Mar 07)
- Re: Quick thread on SQLi Tom Brennan (Mar 07)
- Re: Quick thread on SQLi Michal Zalewski (Mar 08)
- Re: Quick thread on SQLi Dave Aitel (Mar 08)
- Re: Quick thread on SQLi Thomas Ptacek (Mar 08)
- Re: Quick thread on SQLi Michal Zalewski (Mar 08)
- Re: Quick thread on SQLi Dean Pierce (Mar 09)
- Re: Quick thread on SQLi Wim Remes (Mar 09)
- Re: Quick thread on SQLi Thomas Ptacek (Mar 09)
- Re: Quick thread on SQLi Nate Lawson (Mar 09)
- Re: Quick thread on SQLi Dave Aitel (Mar 08)
- Re: Quick thread on SQLi allison nixon (Mar 07)