Data breaches happen.
|principal domain names with SLQi|
According to the “pastes” the attacker harvest 327 circa vulnerable websites in less then a day ! So let’s dig a little bit on them to see if we might find some interesting correlations.
A first interesting result comes from the first level domain names. Leaving out “.com” (which actually is the most common used domain name) it is possible to see additional interesting domain names such as “.ca”, “.it”, “.ir”, “.ch”, “.il” and so on, which are mostly “country” based domain names. I agree with those who might think that the used dataset could not be considered as a “significative dataset”, since 24h of internet scraping is far-far-far away from having an internet significative view, but we might agree that it could be considered as an “indicative dataset”. In other words if in only 24h of internet scraping he/she found 327 circa vulnerable websites, let’s immagine what an attacker could do with weeks or months of scraping power. Still interesting to see that no specific geographic targets and/or country patterns emerged (for example: only richest/poorest countries or European countries, or countries with cyber activists, or countries in a war conflict, etc..) suggesting that the issue (having vulnerable SQLi WebSite) is still quite spread all over the world. The following map shows the geo-distribution domain names where domains such as: “.ld”,”.dk”,”.nz”,”.ug”, “gk”, … , took a single hit, so are not visualised.
|Domain Names Geographically Distributed|
The following histogram shows the percentage of web server technology found in “presumed” vulnerable websites. Apache and Nginx are the most common used technology. I am not saying that Apache and Nginx are vulnerable to SQLi or that they might infer or enable in somehow vulnerable webpages. Yet I am not saying that they are responsible in anyway of serving vulnerable applications. Indeed vulnerable applications does not have a direct link to the used web server, I am just observing the analysed data. It could be an “obvious consequence”, since Apache and Nginx technologies are the most used over the web, or maybe not.
|Percentage of WebServer Technology in front of vulnerable websites|
A little bit more interesting is the DB Technology distribution used in presumed SQLi vulnerable websites. It might highlight the application “type”. For example we might believe that applications built on top of Microsoft Access are quite “old applications” (this is not always true, I’m aware of it, but it might be an indicative parameter to be considered on SQLi researches) or applications built on top of Oracle databases might be corporate applications and not opensource and/or “mockup” applications. Or we might stretch a little bit this concept by assuming that applications built on top of Microsoft SQL servers might be professional/company applications and so on and so forth. Of course we cannot walk the same way starting from MySql or PostreSQL since both of them are used into opensource/free applications as well as corporate and professional ones.
|Percentage of DataBase Technology in of vulnerable websites backend|