"Can be found remotely by someone with a minimum of time and effort" almost certainly means compromised and already distributing malware. so if there is any database of hacked sites as a percentage of legitimate sites... then there you have it.
On Wed, Mar 7, 2012 at 11:01 AM, Dave Aitel <[email protected]> wrote: > I know it's been a decade, and everyone is sick of talking about SQLi, > but none-the-less, I was chatting with a bunch of people about it at RSA > and I wanted to throw out a metric to see if we can get consensus. > > The metric is this: How many websites have remote anonymous SQLi as a > percentage. Obviously you're going to find more SQLi if you have > authentication, or are doing static analysis on their code. But that's > almost unfair. So let's just look at: "Can be found remotely by someone > with a minimum of time and effort". > > My theory is 5%, and one of the companies who does this also thought 5% > sounded reasonable. > > I think it's an interesting number to have, and if anyone wants to chime > in, feel free! > > -- > INFILTRATE 2013 January 10th-11th in Miami - the world's best offensive > information security conference. > www.infiltratecon.com > > > > _______________________________________________ > Dailydave mailing list > [email protected] > http://lists.immunityinc.com/mailman/listinfo/dailydave > > -- _________________________________ Note to self: Pillage BEFORE burning.
_______________________________________________ Dailydave mailing list [email protected] http://lists.immunityinc.com/mailman/listinfo/dailydave
