SQL Injection Isn't Dead Smuggling Queries at the Protocol Level
Paul Gerste
DEF CON 32 Main Stage · Day 1 · Main Stage
In "SQL Injection Isn't Dead: Smuggling Queries at the Protocol Level," Paul Gerste from SonarSource challenges the prevailing notion that modern application development practices have largely eradicated SQL injection vulnerabilities. While parameterized queries and Object-Relational Mappers (ORMs) have significantly mitigated traditional, high-level SQL injection risks, Gerste's research unveils a new vector: injecting malicious queries by exploiting flaws in how applications communicate with databases at the binary protocol level. This talk dives into the "lower decks" of network communication, where bits and bytes are exchanged, revealing vulnerabilities that bypass even the most robust application-layer defenses.
AI review
Gerste's research on binary protocol desynchronization in database drivers is a critical, high-impact finding that redefines what we thought we knew about SQL injection. By demonstrating how integer truncation in client libraries can smuggle entirely new queries past prepared statements, he's exposed a fundamental vulnerability at the protocol level. This isn't just a clever hack; it's a profound shift in attack vectors that bypasses modern defenses and demands immediate attention from developers and security professionals.