[WEB SECURITY] How Prevalent Are SQL Injection Vulnerabilities?

Wed Sep 27 13:54:39 EDT 2006

I feel that both can lead to critical compromises.  If a hacker is
unable to use one attack against a website, the hacker will try the
other.  I am sure that each hacker may have there favorite.  If the
Hacker has a database background they may be more inclined to attempt a
SQL injection first, where a Hacker with a Programming background may
attempt XSS first.  Either way the results of both are significant.  A
hole in an application is a hole regardless of if it is an apple or an
orange.

-----Original Message-----
From: Jeff Robertson [mailto:jeff.robertson at digitalinsight.com] 
Sent: Wednesday, September 27, 2006 1:40 PM
To: Jeff Robertson; Jeremiah Grossman; Web Security
Subject: RE: [WEB SECURITY] How Prevalent Are SQL Injection
Vulnerabilities?

That paragraph contains a semantically significant typo. I meant to say:

For stealing data, I don't see how you can *BEAT* SQL Injection.

> -----Original Message-----
> From: Jeff Robertson 
> Sent: Wednesday, September 27, 2006 13:34
> To: Jeremiah Grossman; Web Security
> Subject: RE: [WEB SECURITY] How Prevalent Are SQL Injection 
> Vulnerabilities?
> 
> I don't know about "stealing money", but for stealing data I 
> don't see how you can be SQL injection. And certain kinds of 
> data are as good as money, aren't they?
> 
> > -----Original Message-----
> > From: Jeremiah Grossman [mailto:jeremiah at whitehatsec.com]
> > Sent: Wednesday, September 27, 2006 13:10
> > To: Web Security
> > Subject: Re: [WEB SECURITY] How Prevalent Are SQL Injection 
> > Vulnerabilities?
> > 
> > Recently Alex Stamos (iSEC Partners) were giving an encore 
> Black Hat 
> > presentations for the local San Francisco OWASP Chapter. 
> During Alex's 
> > presentation, SQL Injection was mentioned to which he replied with 
> > something quite thought provoking. I'm unable to quote Alex 
> verbatim, 
> > but here's the general gist.
> > 
> > Alex said using SQL Injection to actually steal money from a bank 
> > would be very difficult due to the sheer complexity of the database.
> > At least significantly harder to pull off than using XSS 
> and getting 
> > the user to do it for you.
> > 
> > 
> > Regards,
> > 
> > Jeremiah Grossman
> > Chief Technology Officer
> > WhiteHat Security, Inc.
> > http://www.whitehatsec.com/
> > http://jeremiahgrossman.blogspot.com/
> > 
> > 
> > On Sep 27, 2006, at 6:30 AM, Matt Fisher wrote:
> > 
> > > You're correct in pointing out that the journalist misquoted the 
> > > meaning of the stats that Robert threw out on the panel:
> > Robert was
> > > talking about what's appearing in the CVE; not necessarily what's 
> > > actually being exploited.  It's true, however, that web app
> > vulns are
> > > topping the lists in known and newly discovered vulns; 
> something I 
> > > started pointing out at ShmooCon in January when I glanced at a 
> > > Bugtraq for the first time in ages and realized it was
> > somewhere near
> > > 50% web app vulns.
> > >
> > > I personally believe the reason XSS tops the list, 
> however, is just 
> > > due to the nature of the CVE: it tends to cover a lot of COTS and 
> > > otherwise off-the-shelf software (i.e., OSS web apps such as
> > > phpNuke) and certainly XSS is prevalent in those as is, 
> apparently, 
> > > include vulns.
> > >
> > > As far as what's actually being exploited, however, I 
> place SQLi as 
> > > tops.  It's almost as common as XSS, and a far more
> > dangerous exploit.  
> > > Besides, most of the XSS found in the CVE is probably going to be 
> > > single-session or purely reflective and probably not the
> > grand-poobah
> > > persistent multi-session XSS (ala MySpace
> > > worms).   Certainly the various tools out there make sqli 
> an easy  
> > > exploit as well, and I've seen exploits ranging everywhere
> > from simple
> > > reads to modifying pages malisciously to drop oh!-day.
> > >
> > > Remember too that google hacking is a mere subset of real web app 
> > > hacking .... take a look at the big graph in the appendix
> > of the book;
> > > Google barely even traverses a site much less tampers with
> > it, so if
> > > your googling suggests 11% of sites vuln to sqli, I'd double that 
> > > number as even a conservative estimate of the sites that
> > are actually
> > > vulnerable if you did any measure of real testing.
> > >
> > > From: Michael Sutton [mailto:msutton at spidynamics.com]
> > > Sent: Wed 9/27/2006 7:49 AM
> > > To: websecurity at webappsec.org
> > > Subject: [WEB SECURITY] How Prevalent Are SQL Injection 
> > > Vulnerabilities?
> > >
> > > Earlier this month, Mitre released updated statistics
> > showing that web
> > > application vulnerabilities had claimed the top three spots for 
> > > requested CVE numbers:
> > >
> > > 1.) Cross Site Scripting (21.5%)
> > > 2.) SQL Injection (14%)
> > > 3.) PHP includes (9.5%)
> > >
> > > Much of the press coverage for this was inaccurate as is 
> suggested 
> > > that this was a reflection of the vulnerabilities being
> > used to attack
> > > websites as opposed to a measure of how common
> > vulnerabilities are in
> > > commercial/open source software.
> > >
> > > Of the top CVE vulnerabilities, SQL injection is the one
> > that scares
> > > me the most given the amount and type of personal data
> > being stored by
> > > many websites. I sought to find a way to test a sample
> > population of
> > > random sites to determine how many may be vulnerable to SQL
> > injection. 
> > > Given the constraints of not being able to audit the third party 
> > > sites, I settled on using the Google API and some
> > automation to search
> > > for sites serving up verbose SQL errors. The results - 
> 11.3% of the 
> > > sites spit out the errors. Not surprising, but certainly sobering.
> > > I've posted the details of the experiment at:
> > >
> > >    http://portal.spidynamics.com/blogs/msutton/
> > >
> > > - michael
> > >
> > > Michael Sutton
> > > Security Evangelist
> > > SPI Dynamics
> > > http://portal.spidynamics.com/blogs/msutton
> > >
> > >
> > > 
> > 
> ----------------------------------------------------------------------
> > > ------
> > > The Web Security Mailing List:
> > > http://www.webappsec.org/lists/websecurity/
> > >
> > > The Web Security Mailing List Archives:
> > > http://www.webappsec.org/lists/websecurity/archive/
> > > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> > >
> > 
> > 
> > --------------------------------------------------------------
> > --------------
> > The Web Security Mailing List: 
> > http://www.webappsec.org/lists/websecurity/
> > 
> > The Web Security Mailing List Archives: 
> > http://www.webappsec.org/lists/websecurity/archive/
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> > 
> > 
> 
> --------------------------------------------------------------
> --------------
> The Web Security Mailing List: 
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/archive/
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 

------------------------------------------------------------------------
----
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

----------------------------------------------------------------------------
The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]