On 7 March 2012 16:01, Dave Aitel <[email protected]> wrote: > I know it's been a decade, and everyone is sick of talking about SQLi, > but none-the-less, I was chatting with a bunch of people about it at RSA > and I wanted to throw out a metric to see if we can get consensus. > > The metric is this: How many websites have remote anonymous SQLi as a > percentage. Obviously you're going to find more SQLi if you have > authentication, or are doing static analysis on their code. But that's > almost unfair. So let's just look at: "Can be found remotely by someone > with a minimum of time and effort". > > My theory is 5%, and one of the companies who does this also thought 5% > sounded reasonable. > > I think it's an interesting number to have, and if anyone wants to chime > in, feel free!
One in twenty doesn't seem too far off in my experience. However,I'm not sure how representative the sites I see are of the Internet as a whole, that is the tricky bit. To guess, I think if you ran sqlmap against websites at random, you'd be seeing something like 3-8% vulnerable. cheers, Jamie -- Jamie Riden / [email protected] / [email protected] http://uk.linkedin.com/in/jamieriden _______________________________________________ Dailydave mailing list [email protected] http://lists.immunityinc.com/mailman/listinfo/dailydave
