[WEB SECURITY] How Prevalent Are SQL Injection Vulnerabilities?
mfisher at spidynamics.com
Wed Sep 27 09:30:03 EDT 2006
You're correct in pointing out that the journalist misquoted the meaning of the stats that Robert threw out on the panel: Robert was talking about what's appearing in the CVE; not necessarily what's actually being exploited. It's true, however, that web app vulns are topping the lists in known and newly discovered vulns; something I started pointing out at ShmooCon in January when I glanced at a Bugtraq for the first time in ages and realized it was somewhere near 50% web app vulns.
I personally believe the reason XSS tops the list, however, is just due to the nature of the CVE: it tends to cover a lot of COTS and otherwise off-the-shelf software (i.e., OSS web apps such as phpNuke) and certainly XSS is prevalent in those as is, apparently, include vulns.
As far as what's actually being exploited, however, I place SQLi as tops. It's almost as common as XSS, and a far more dangerous exploit. Besides, most of the XSS found in the CVE is probably going to be single-session or purely reflective and probably not the grand-poobah persistent multi-session XSS (ala MySpace worms). Certainly the various tools out there make sqli an easy exploit as well, and I've seen exploits ranging everywhere from simple reads to modifying pages malisciously to drop oh!-day.
Remember too that google hacking is a mere subset of real web app hacking .... take a look at the big graph in the appendix of the book; Google barely even traverses a site much less tampers with it, so if your googling suggests 11% of sites vuln to sqli, I'd double that number as even a conservative estimate of the sites that are actually vulnerable if you did any measure of real testing.
From: Michael Sutton [mailto:msutton at spidynamics.com]
Sent: Wed 9/27/2006 7:49 AM
To: websecurity at webappsec.org
Subject: [WEB SECURITY] How Prevalent Are SQL Injection Vulnerabilities?
Earlier this month, Mitre released updated statistics showing that web
application vulnerabilities had claimed the top three spots for
requested CVE numbers:
1.) Cross Site Scripting (21.5%)
2.) SQL Injection (14%)
3.) PHP includes (9.5%)
Much of the press coverage for this was inaccurate as is suggested that
this was a reflection of the vulnerabilities being used to attack
websites as opposed to a measure of how common vulnerabilities are in
commercial/open source software.
Of the top CVE vulnerabilities, SQL injection is the one that scares me
the most given the amount and type of personal data being stored by many
websites. I sought to find a way to test a sample population of random
sites to determine how many may be vulnerable to SQL injection. Given
the constraints of not being able to audit the third party sites, I
settled on using the Google API and some automation to search for sites
serving up verbose SQL errors. The results - 11.3% of the sites spit out
the errors. Not surprising, but certainly sobering. I've posted the
details of the experiment at:
The Web Security Mailing List:
The Web Security Mailing List Archives:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity