DEF CON , Events , Fraud Management & Cybercrime
SQL Injection: A High-Value Target for Attackers
Paul Gerste of Sonar on Need for Developer Training to Combat SQL InjectionSQL vulnerabilities continue to plague modern applications due to their severe impact and frequent occurrence. Databases hold valuable information such as customer data and authentication details and are "high-value targets" for attackers, said Paul Gerste, vulnerability researcher at Sonar.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
Despite advancements in security measures, vulnerabilities persist because developers sometimes bypass proper safeguards. They often choose to manually build SQL queries rather than secure libraries. This approach, driven by convenience, increases the risk of SQL injection attacks, Gerste said.
The distinction between memory-safe and memory-unsafe languages also plays a role. "If you have an array and you take a random index and try to find something in that array and access something, the worst case that can happen is an error and nothing more," he said. "But in memory-unsafe language, it could become memory corruption and then code execution in a lot of cases."
In this video interview with Information Security Media Group at DEF CON 2024, Gerste also discussed:
- How improper coding practices increase the risk of SQL vulnerabilities;
- The differences between traditional and memory-safe languages;
- The challenges in developer awareness and training to address vulnerabilities.
At Sonar, Gerste identifies critical vulnerabilities within widely used JavaScript and TypeScript applications such as Proton Mail, Rocket.Chat and Blitz.js. He previously worked as a research assistant at Ruhr University Bochum.