SQLi and other injection attacks remain the top OWASP and CERT vulnerability. Current detection attempts frequently involve a myriad of regular expressions which are not only brittle and error prone but also proven by Hanson and Patterson at Black Hat 2005 to never be a complete solution. libinjection is a new open source C library that detects SQLi using lexical analysis. With little upfront knowledge of what SQLi is, the algorithm has been trained on tens of thousands of real SQLi attacks and hundreds of millions of user inputs taken from a Top 50 website for high precision and accuracy. In addition, the algorithm categorizes SQLi attacks and provides templates for new attacks or new fuzzing algorithms. libinjection is available now on github for integration into applications, web application firewalls, or porting to other programming languages.
Nick Galbreath is a director of engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features. Over the last 18 years, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market, and has consulted for many more. He is the author of "Cryptography for Internet and Database Applications" (Wiley), and was awarded a number of patents in the area of social networking. He holds a master's degree in mathematics from Boston University.