Dailydave mailing list archives
Re: Quick thread on SQLi
From: Thomas Ptacek <tqbf () matasano com>
Date: Thu, 8 Mar 2012 14:17:30 -0600
Without meaning to open another can of worms: Web application ~= code repository. Obviously not a decidable problem for computer programs working with deployment artifacts, but many consulting engagements do start out with reliable(-enough) mappings. I'm not so much wading into the specific statistic. Michal makes a good point --- any automated survey hoping to provide an SQLI metric does contend with either a meaningless definition of "application" or an undecidable problem. My only point is: even if you had a reliable classification of a huge number of applications across many diverse customers (for instance, Veracode might), any automated survey is bound to be biased in other ways. I think Michal and I agree that SQLI is much more prevalent than the conventional wisdom dictates. On Thu, Mar 8, 2012 at 1:17 PM, Michal Zalewski <lcamtuf () coredump cx> wrote:
There are many SQLI patterns that are hard for automated tools to find. This is an obvious point, so I'm sorry to pedantic, but I think a survey based on automated scanning is a misleading starting point for the discussion.Well, the definition of a web application is a surprisingly challenging problem, too. This is particularly true for any surveys that randomly sample Internet destinations. Should all the default "it works!" webpages produced by webservers be counted as "web applications"? In naive counts, they are, but analyzing them for web app vulnerabilities is meaningless. In general, at what level of complexity does a "web application" begin, and how do you measure that when doing an automated scan? Further, if there are 100 IPs that serve the same www.youtube.com front-end to different regions, are they separate web applications? In many studies, they are. On the flip side, is a single physical server with 10,000 parked domains a single web application? Some studies see it as 10,000 apps. Heck, is www.google.com a web application, or a collection of several hundred web apps? In my view, it's the latter, but how do you tell with a script? Would it be considered a single application were it running on a single physical machine? The intuitive answer is "no", but then, from the perspective of SQLi or an RCE bug, there is a difference of sorts. There's more... are foo.blogspot.com and bar.blogspot.com separate "web applications"? If not, then what about *.appspot.com? How does an automated tool determine the difference between these environments? The list goes on... In such cases, manually constructed and carefully vetted data is actually quite likely to be more meaningful than any automated studies. /mz
-- --- Thomas H. Ptacek // matasano security read us on the web: http://www.matasano.com/log _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com http://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Re: Quick thread on SQLi, (continued)
- Re: Quick thread on SQLi allison nixon (Mar 07)
- Re: Quick thread on SQLi Mary Landesman (Mar 07)
- Re: Quick thread on SQLi Jamie Riden (Mar 07)
- Re: Quick thread on SQLi Tom Brennan (Mar 07)
- Re: Quick thread on SQLi Michal Zalewski (Mar 08)
- Re: Quick thread on SQLi Dave Aitel (Mar 08)
- Re: Quick thread on SQLi Thomas Ptacek (Mar 08)
- Re: Quick thread on SQLi Michal Zalewski (Mar 08)
- Re: Quick thread on SQLi Dean Pierce (Mar 09)
- Re: Quick thread on SQLi Wim Remes (Mar 09)
- Re: Quick thread on SQLi Thomas Ptacek (Mar 09)
- Re: Quick thread on SQLi Nate Lawson (Mar 09)
- Re: Quick thread on SQLi Dave Aitel (Mar 08)
- Re: Quick thread on SQLi allison nixon (Mar 07)