CypherCon 2023

SQL Injection: A history’ OR 1=1; —

Will McCardell

Abstract:

SQL injection is one of the most well known application vulnerabilities, and is one of the first ones taught to newcomers to the industry due to the simplicity of the attack and the impact it can have. The damage it causes is often severe and has even been used to wipe out debts to governments. For 8 years, SQL injection was ranked as one of the most critical web app vulnerabilities by OWASP, the leading organization for web application security. But in 2021, OWASP dropped SQL Injection’s rank two places, reflecting the changes in the industry that reduced the frequency and impact of the vulnerability.

What is SQL injection, and how did we get to this point? This talk will go over the history of SQL injections: their origins; big hacks caused by SQL injections (including those whose effects are still felt today); the paradigm shifts that signal the twilight era of SQL injections; and how current trends are affecting the impact of these vulnerabilities. We’ll also discuss NoSQL injections and what the future holds for SQL injections.

Will McCardell

Drop tables =)

Will McCardell is an experienced technologist with over 10 years in the tech industry. He’s worked on the software engineering, data, cloud infrastructure, and security sides of the industry, and brings this strong breadth of experience to his work as an application security engineer. He holds a CISSP and takes great joy in mentoring and helping others, as well as solving organizational problems. When not learning new things, he can be found biking, playing games of all sorts, and making pizza.