DEF CON , Events , Fraud Management & Cybercrime

SQL Injection: A High-Value Target for Attackers

Paul Gerste of Sonar on Need for Developer Training to Combat SQL Injection
Paul Gerste, vulnerability researcher, Sonar

SQL vulnerabilities continue to plague modern applications due to their severe impact and frequent occurrence. Databases hold valuable information such as customer data and authentication details and are "high-value targets" for attackers, said Paul Gerste, vulnerability researcher at Sonar.

See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware

Despite advancements in security measures, vulnerabilities persist because developers sometimes bypass proper safeguards. They often choose to manually build SQL queries rather than secure libraries. This approach, driven by convenience, increases the risk of SQL injection attacks, Gerste said.

The distinction between memory-safe and memory-unsafe languages also plays a role. "If you have an array and you take a random index and try to find something in that array and access something, the worst case that can happen is an error and nothing more," he said. "But in memory-unsafe language, it could become memory corruption and then code execution in a lot of cases."

In this video interview with Information Security Media Group at DEF CON 2024, Gerste also discussed:

  • How improper coding practices increase the risk of SQL vulnerabilities;
  • The differences between traditional and memory-safe languages;
  • The challenges in developer awareness and training to address vulnerabilities.

At Sonar, Gerste identifies critical vulnerabilities within widely used JavaScript and TypeScript applications such as Proton Mail, Rocket.Chat and Blitz.js. He previously worked as a research assistant at Ruhr University Bochum.


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.