2025-03-30 –, The Waterloo
Injection attacks like SQL injection (SQLi) are older than the Internet Explorer, yet they still plague modern applications. Our recent research examined SQLi, Command Injection, Path Traversal, and Cross-Site Scripting (XSS) vulnerabilities in open and closed-source projects to understand their prevalence in modern apps.
SQLi alone accounted for 6.7% of vulnerabilities in open-source and 10% of closed-source vulnerabilities discovered in 2024. Command injection, Path Traversal, and XSS also remain dominant threats.
This presentation explores why injection attacks persist despite known solutions and examines whether new technologies can finally eliminate them. We’ll review our research methodology, which included analyzing over 50,000 closed-source projects, and highlight key findings. Real-world case studies, such as the MoveIT attack, will underscore their ongoing impact. We’ll conclude with prevention strategies and discuss why injection vulnerabilities may persist for another decade.
Injection attacks remain a very prominent threat vector that we see in the wildtoday. This is despite being around since the start of the Internet and being a solvable problem in nearly all scenarios. This presentation will explore multiple different types of injection attacks and vulnerabilities including:
- SQL Injection (SQli)
- NoSQL injection
- Path Traversal
- Cross-Site Scripting (XSS)
- Command injection
The presentation is centered around research we did to uncover exactly how predominant injection attacks remain in 2025. To do this we looked at over 50,000 closed-source projects and reviewed all the vulnerabilities reported in 2024 and 2023 for open-source projects. We discovered that injection-style vulnerabilities still play a huge part in application security today.
Looking only at the numbers for SQLi alone, we discovered that over 6% of all open-source vulnerabilities reported involved SQLi and this increased to 10% of vulnerabilities that we discovered in closed-source projects. The numbers for command injection, Path Traversal, XSS, and NoSQl injection were slightly lower but together make up a significant portion of the vulnerabilities that plague modern applications.
This presentation will walk through exactly what injection attacks are through real-life examples and live demos, we will explore our research in detail and discuss preventative measures.
Presentation outline
- What are injection attacks
- Modern examples of injection attacks (including the MOVEit breach)
- Demo of SQL injection attack
- Research Methodology
- Research results of each category of vulnerability 2023 and 2024
- Trends we are seeing in injection vulnerabilities
- How we can prevent injection attacks
– Secure coding principles
– Code scanning
– Secure code reviews - What the future holds for injection vulnerabilities and attacks.
Each audience member will get access to an exclusive report they can download after the presentation (Made public after the conference) with all the research results and findings.
This talk is for anyone interested in secure coding principles and understanding the modern threat landscape.
Mackenzie is a security researcher and advocate with a passion for code security. He is the former CTO and founder of Conpago, where he learned firsthand the importance of building secure applications. Today, Mackenzie works for Aikido security to help developers and DevOps engineers build secure systems. He also shares his knowledge as a contributor to many technology publications like DarkReading, Financial Times, and Security Boulevard along with appearing as an expert in TV documentaries and interviews.