Our Unhealthy Relationship with Injection Vulnerabilities

Accepted Session
Short Form
Scheduled: Tuesday, June 21, 2016 from 10:00 – 10:45am in B304


Ever concatenated strings in your code? Did those strings include any kind of structured syntax? Then your code might be vulnerable to injection. What does that mean? I will show you the common patterns of injection that occur, what their impact might be, and how to avoid them.


Injection flaws are broad, common category of vulnerability in modern software. While many developers are aware of high-profile technical issues, such as SQL injection, any number of injection vulnerabilities are possible in other languages, protocols, and syntaxes. Upon studying these flaws in many contexts, an underlying “theory of injection” emerges. This simple concept can be applied to many situations (including new technologies and those yet to be invented) to help developers avoid the most common types of implementation vulnerabilities.


security, injection, owasp

Speaking experience

I have spoken at dozens of local security groups over the years. More notably, I have spoken at the Blackhat USA security conference and at AppSec USA. I am also a trainer, regularly delivering 1/2 day, 1 day, and 2 day courses.


  • Timothy Morgan

    Blindspot Security


    As an application security consultant and vulnerability researcher, Tim has been taking deep technical dives in security for over a decade. In that time, he has been credited with the discovery and responsible disclosure of numerous security vulnerabilities in a variety of software products, including: IBM Tivoli Access Manager, Sun Java Runtime Environment, Google Chrome Web Browser, OpenOffice, Oracle WebLogic Application Server, and IBM Websphere Commerce. His current research interests include applied cryptanalysis, XML external entities attacks, and network timing attacks. Tim develops and maintains several open source forensics tools in addition to Bletchley, an application cryptanalysis toolkit.

    Tim works to secure his customers’ environments through black box testing, code reviews, social engineering exercises, security training, and a variety of other services. Previously, Tim worked at for a Boston-based security consulting firm as a lead security consultant and researcher. Tim has also worked on security teams at financial services companies and as a software developer. Tim has worked in a variety of roles in the information security field including incident response, digital forensics, and risk analysis, giving him a broad set of experiences to draw upon. Tim earned his
    computer science degrees from Harvey Mudd College and Northeastern University and currently resides in Portland, Oregon where he leads the local OWASP chapter.


Leave a private comment to organizers about this proposal