I know it's been a decade, and everyone is sick of talking about SQLi, but none-the-less, I was chatting with a bunch of people about it at RSA and I wanted to throw out a metric to see if we can get consensus.
The metric is this: How many websites have remote anonymous SQLi as a percentage. Obviously you're going to find more SQLi if you have authentication, or are doing static analysis on their code. But that's almost unfair. So let's just look at: "Can be found remotely by someone with a minimum of time and effort". My theory is 5%, and one of the companies who does this also thought 5% sounded reasonable. I think it's an interesting number to have, and if anyone wants to chime in, feel free! -- INFILTRATE 2013 January 10th-11th in Miami - the world's best offensive information security conference. www.infiltratecon.com
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dailydave mailing list [email protected] http://lists.immunityinc.com/mailman/listinfo/dailydave
