Injection Inspection: Defending Against Data Manipulation Attacks

Overview

This hands-on 4-hour workshop equips developers with practical experience identifying, exploiting, and remediating common injection vulnerabilities in local applications. 

We will provide the same examples in three languages, so everyone can attack and fix their own preferred platform: Python, JavaScript, and .NET

Learning Objectives

• Understand the mechanics of four critical injection vulnerability types

• Gain practical experience exploiting vulnerabilities in local applications

• Learn to identify vulnerable patterns in existing codebases

• Implement remediation and prevention techniques 

• Develop secure coding habits that prevent injection attacks

Target Audience

Software developers, security engineers, QA specialists, and technical team leads seeking to strengthen application security through practical exercises.

Prerequisites

• Familiarity with Python, JavaScript, and/or .NET

• Basic understanding of web applications development (backend)

• Laptop with the relevant language platform set up (Python, JavaScript or .NET), favorite Development IDE, web browser (at least chrome and firefox) and Postman. 

• Workshop repository cloned (will be provided before the session)

Workshop Structure

Introduction (15 minutes)

Why are we still talking about Injection?

Hour 1: SQL Injection (50 minutes)

• Introduction (5 min)

• Vulnerable Applications Walkthrough and Demo (5 min)

• Hands-on Exploitation Lab (15 min)

• Remediation Implementation (15 min)

• Discussion and Q&A (10 min)

Hour 2: Command Injection (50 minutes)

• Introduction (5 min)

• Vulnerable Applications Walkthrough and Demo (5 min)

• Hands-on Exploitation Lab (15 min)

• Remediation Implementation (15 min)

• Discussion and Q&A (10 min)

Hour 3: Command injection and Cross-Site Scripting (XSS) (55 minutes)

• Introduction (5 min)

• Vulnerable Applications Walkthrough and Demo (5 min)

• Eval is evil (5 min)

• Hands-on Exploitation Lab (15 min)

• Remediation Implementation (15 min)

• Discussion and Q&A (10 min)

Hour 4: Deserialization Vulnerabilities (50 minutes)

• Introduction (5 min)

• Vulnerable Applications Walkthrough and Demo (5 min)

• Hands-on Exploitation Lab (15 min)

• Remediation Implementation (15 min)

• Discussion and Q&A (10 min)

Hour 5: Bonus injection approach (30 minutes)

• Examples of other injection techniques used by attacks - Discussion and Q&A

Wrap up

Hands-On Exercise Format

Each vulnerability section includes:

1. Pre-configured application code in multiple languages

2. Step-by-step instructions for vulnerability identification

3. Example attack payloads for successful exploitation

4. Code templates for implementing secure alternatives

5. Verification methods to validate remediation effectiveness

Materials Provided

• Presentation slides

• GitHub repository with all exercise code

• Reference guide to injection vulnerabilities

 

---

 

Note: All exercises are designed to run locally without network connectivity. Participants should complete the setup instructions distributed prior to the workshop to ensure a smooth experience.