[Dailydave] Quick thread on SQLi
elsakoo at gmail.com
Wed Mar 7 12:09:08 EST 2012
"Can be found remotely by someone with a minimum of time and effort" almost
certainly means compromised and already distributing malware. so if there
is any database of hacked sites as a percentage of legitimate sites... then
there you have it.
On Wed, Mar 7, 2012 at 11:01 AM, Dave Aitel <dave at immunityinc.com> wrote:
> I know it's been a decade, and everyone is sick of talking about SQLi,
> but none-the-less, I was chatting with a bunch of people about it at RSA
> and I wanted to throw out a metric to see if we can get consensus.
> The metric is this: How many websites have remote anonymous SQLi as a
> percentage. Obviously you're going to find more SQLi if you have
> authentication, or are doing static analysis on their code. But that's
> almost unfair. So let's just look at: "Can be found remotely by someone
> with a minimum of time and effort".
> My theory is 5%, and one of the companies who does this also thought 5%
> sounded reasonable.
> I think it's an interesting number to have, and if anyone wants to chime
> in, feel free!
> INFILTRATE 2013 January 10th-11th in Miami - the world's best offensive
> information security conference.
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
Note to self: Pillage BEFORE burning.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Dailydave