5% of websites have had at least 1 SQL Injection vulnerability without needing to login

1 Reply

During RSA Dave Aitel, CEO of Immunity, asked me a statistics question relating to website security. Dave asked, “What percentage of websites is WhiteHat seeing as vulnerable to SQL Injection — without needing to authenticate?” That last detail is important, especially in the era of mass blast SQL Injection worms and prolific bad-guy-scanner-use searching for victims of opportunity.

I didn’t have the number off the top of my head, would have to look it up in the WhiteHat Sentinel database to be certain, but my first impression was it’s probably around 5%. I thought so was because we’re currently tracking about 14% of all websites having had at least one SQL Injection vulnerability (slide 13). Restricting to non-auth would obviously drag the number down.

To Dave’s surprise, 5% was what he is measuring as well, as was as one other he asked. I asked WhiteHat Security’s resident data scientist, Bill Coffman, to provide the real figures.To first understand our data scope, WhiteHat Sentinel is used to perform continuous vulnerability assessments on thousands of publicly facing websites. 500+ companies in all, large and small, and across industries such as financial services, retail, healthcare, energy, etc. The large majority our vulnerability assessment are conducted in a logged-in state.

Fortunately, we offer a service line named Baseline Edition (BE), which does not authenticate. BE is generally for customers who only require a “baseline” level of testing comprehensiveness, usually deployed broadly across their entire website portfolio. So, Bill restricted our data set to only a BE covered websites, which ended up encompassing many hundreds.

Of all BE websites, created under WhiteHat Sentinel before March 2011, yielded 5%. That is, 5% of websites have had at least 1 SQL Injection vulnerability without needing to login!

We restricted the sampling to a year back to ensure the websites had all their scans properly configured and had enough time to complete over a long enough period. Newer sites are not in a stable state to be statistically representative.

There is one potential caveat in the data, which we can’t properly account for that is likely to move the percentage up. Just because an assessment is conducted in a logged-in state does not mean the URL that’s vulnerable to SQL Injection can’t be exploited while NOT logged-in — an authentication / authorization issue, which should up on our statistics report top ten.

So, those are our numbers. If you are in the website vulnerability assessment business, what are yours?

 

 

This entry was posted in Vulnerabilities on by .

About Jeremiah Grossman

Jeremiah Grossman is the Founder and Chief Technology Officer of WhiteHat Security, where he is responsible for Web security R&D and industry outreach. Over the last decade, Mr. Grossman has written dozens of articles, white papers, and is a published author. His work has been featured in the Wall Street Journal, Forbes, NY Times and hundreds of other media outlets around the world. As a well-known security expert and industry veteran, Mr. Grossman has been a guest speaker on six continents at hundreds of events including TED, BlackHat Briefings, RSA, SANS, and others. He has been invited to guest lecture at top universities such as UC Berkeley, Stanford, Harvard, UoW Madison, and UCLA. Mr. Grossman is also a co-founder of the Web Application Security Consortium (WASC) and previously named one of InfoWorld's Top 25 CTOs. He serves on the advisory board of two hot start-ups, Risk I/O and SD Elements, and is a Brazilian Jiu-Jitsu Black Belt. Before founding WhiteHat, Mr. Grossman was an information security officer at Yahoo!