Big variance in vulnerability seriousness across that spectrum... but if you've found 100K+ vulns and 2.5% are SQL injection, that's a lot of big holes!
Yup! Some of those are less serious than others, though all are a beachhead you don't want available to an attacker. And SQLi, I agree, is among the worst.
We actually were, for a while, but are working through some bugs in that particular module for the last couple of weeks. However, it still didn't show up as often as XSS in our testing, actually.
Title is wrong. Instead of saying that 16% of web vulns are XSS, it should say that 16% of the findings reported by this particular product/service are XSS.
Web vulnerability scanners can diff a lot in their results. Crawling algos/site coverage, finding and using different input vectors, specific testing methods &c are all very different across various products. Sectoolmarket is a good resource with results from WIVET (crawl tests more or less) and WAVSEP (detecting vulnerabilities). Even so, those benchmarks only cover a very small portion of possible web application attack vectors. And let's not forget the problem of crawling "The Deep Web" i.e., stateful web applications.
Not sure what the implication is here - yes, 16% of the vulnerabilities found by our scanner, of just over 100k now, are XSS. Are you implying XSS is less widespread? In my appsec experience, it's possibly even more widespread, if anything...
How did you test for YAML injection? From my past experiences with Ruby (hardly any) YAML injection is difficult to test from a blackbox perspective as you need an understanding of the source code in order to be able to craft the appropriate serialized YAML object to yield code execution.
Couple of methods. For one thing, we test for status codes returned for particularly crafted YAML/XML parameters. Aside from that, we also carefully craft a YAML injection using a timing attack and test blind, that way.
9 comments
[ 2.2 ms ] story [ 40.3 ms ] threadWeb vulnerability scanners can diff a lot in their results. Crawling algos/site coverage, finding and using different input vectors, specific testing methods &c are all very different across various products. Sectoolmarket is a good resource with results from WIVET (crawl tests more or less) and WAVSEP (detecting vulnerabilities). Even so, those benchmarks only cover a very small portion of possible web application attack vectors. And let's not forget the problem of crawling "The Deep Web" i.e., stateful web applications.
TL;DR: title is wrong.