= Session =
Injection Inspection: Defending Against Data Manipulation Attacks
Overview
This hands-on 4-hour workshop equips developers with practical experience identifying, exploiting, and remediating common injection vulnerabilities in local applications.
We will provide the same examples in three languages, so everyone can attack and fix their own preferred platform: Python, JavaScript, and .NET
Learning Objectives
-
Understand the mechanics of four critical injection vulnerability types
-
Gain practical experience exploiting vulnerabilities in local applications
-
Learn to identify vulnerable patterns in existing codebases
-
Implement remediation and prevention techniques
-
Develop secure coding habits that prevent injection attacks
Target Audience
Software developers, security engineers, QA specialists, and technical team leads seeking to strengthen application security through practical exercises.
Prerequisites
-
Familiarity with Python, JavaScript, and/or .NET
-
Basic understanding of web applications development (backend)
-
Laptop with the relevant language platform set up (Python, JavaScript or .NET), favorite Development IDE, web browser (at least chrome and firefox) and Postman.
-
Workshop repository cloned (will be provided before the session)
Workshop Structure
Introduction (15 minutes)
Why are we still talking about Injection?
Hour 1: SQL Injection (50 minutes)
-
Introduction (5 min)
-
Vulnerable Applications Walkthrough and Demo (5 min)
-
Hands-on Exploitation Lab (15 min)
-
Remediation Implementation (15 min)
-
Discussion and Q&A (10 min)
Hour 2: Command Injection (50 minutes)
-
Introduction (5 min)
-
Vulnerable Applications Walkthrough and Demo (5 min)
-
Hands-on Exploitation Lab (15 min)
-
Remediation Implementation (15 min)
-
Discussion and Q&A (10 min)
Hour 3: Command injection and Cross-Site Scripting (XSS) (55 minutes)
-
Introduction (5 min)
-
Vulnerable Applications Walkthrough and Demo (5 min)
-
Eval is evil (5 min)
-
Hands-on Exploitation Lab (15 min)
-
Remediation Implementation (15 min)
-
Discussion and Q&A (10 min)
Hour 4: Deserialization Vulnerabilities (50 minutes)
-
Introduction (5 min)
-
Vulnerable Applications Walkthrough and Demo (5 min)
-
Hands-on Exploitation Lab (15 min)
-
Remediation Implementation (15 min)
-
Discussion and Q&A (10 min)
Hour 5: Bonus injection approach (30 minutes)
-
Examples of other injection techniques used by attacks - Discussion and Q&A
Wrap up
Hands-On Exercise Format
Each vulnerability section includes:
-
Pre-configured application code in multiple languages
-
Step-by-step instructions for vulnerability identification
-
Example attack payloads for successful exploitation
-
Code templates for implementing secure alternatives
-
Verification methods to validate remediation effectiveness
Materials Provided
-
Presentation slides
-
GitHub repository with all exercise code
-
Reference guide to injection vulnerabilities
Note: All exercises are designed to run locally without network connectivity. Participants should complete the setup instructions distributed prior to the workshop to ensure a smooth experience.
Related Sessions
Prompt-driven Security: when Vibe Coding goes into production
TalkFirst we had Shadow IT. Then we had Shadow AI. Now we have Shadow Code. And in each iteration the fi ...
Chaos Engineering: A proactive approach to system resilience
TalkDiscover how chaos engineering empowers organizations to proactively uncover system vulnerabilities, ...
QA Commandments: 10 Must-follow security practices to secure your web apps
TalkIn today’s digital landscape, QA isn’t just about making sure things work - it’s a ...
Reviving Express: A challenging road for Express 5.0
TalkThe Node.js world celebrated its 15 years this year, with the Express Framework turning the same age ...