Injection attacks like SQL injection (SQLi) have a history that is older than the Internet Explorer, so why then does it continue to plague our modern applications?

In a recent research project, we looked at SQLi, Command Injection, and Cross-Site Scripting (XSS) attacks in both open-source and closed-source projects to discover how prevalent they remain in 2025.
Our research discovered that injection attacks still make up a significant portion of web application vulnerabilities. Throughout 2024 SQLi alone accounted for 6.7% of vulnerabilities reported in open-source and 10% for closed-source projects. Command injection and XSS also remain very prominent. In this presentation, we will explore why these vulnerabilities simply won’t go away despite being solvable, and what hope new technologies might create in finally fixing these.

The presentation will first explore exactly what are injection attacks with live demos of advanced injection attacks in action. We then explore our research methodology including how we reviewed vulnerabilities open-source using disclosed vulnerabilities and how we were able to review over 50,000 closed-source projects. We will also review some high-profile attacks that prove injection-style attacks are still prominent in the real world including the MoveIT attack. The crux of the presentation of course is our core findings, we will show exactly how many projects in 2024 had SQLi, Command Injection and XSS vulnerabilities before finally discussing prevention methods and what could finally make this a solved problem (spoiler, they will likely be around for another decade).

This presentation is suitable for anyone wanting to understand what threats may be hidden inside their applications and how they can secure them.