HF 2021 - Call for Papers

SQL Injection Is Still Alive: From a Mall's Interactive Terminal to AWS WAF Bypass
11-19, 11:05–11:25 (Canada/Eastern), Sponsors - Workshops
Language: English

This presentation will dive into multiple SQL injections faced in the field and showcase spicy SQL injections that go from exploiting interactive display terminals of a mall center to AWS WAF bypass using a scientific notation parser bug in MySQL. In addition, we will be sharing techniques to help you find SQL Injections.


You can hear on the [infosec] streets that SQL injection is dead. Guess what? It’s not. This presentation will dive into multiple SQL injections performed in the field . We will showcase increasingly spicy SQL injections and put them in context. On the menu, we have: second order SQL injection 🌶️, pre-authentication SQLi to domain admin 🌶️🌶️, AWS WAF bypass using a scientific notation parser bug in MySQL 🌶️🌶️🌶️ and even an SQL injection in an interactive display terminal of a mall center 👶. We will conclude by sharing techniques based on our experience exploiting these types of bugs. Join us for a deep dive in SQL injection, a vulnerability that is still very real in 2021 unfortunately!


Are you releasing a tool? – no Have this talk already be given? – no

Marc Olivier Bergeron works as a cybersecurity analyst at GoSecure in the ethical hacking team. After a couple months with the team, he quickly earned the SQLi expert title belt. Marc Olivier has been a cybersecurity enthusiast since his first NorthSec in 2015 and has been working as a professional since 2017. Since his debut, he has participated, and received honorable mentions, in many cyber events, such as NorthSec, HackFest, BSides, Geek Week, and is now a challenge designer at NorthSec and an administrator of RingZer0 Team CTF.