Persistent Threats (yes, I dropped the advanced) get a lot of airtime, but if there ever was a case for a persistent vulnerability (PV), you’d have to imagine SQL injection (SQLi) being the grandmother of them all.
Ever since SQL databases have been used, input fields have been vulnerable to SQLi. If you were to humanise these components, an SQL database would most likely resemble a big lump of a man who doesn’t get out much. Morbidly obese and probably suffers from back acne. Like that late night security guard working at the reception desk in your building who always seems to either be munching on a slice of pizza or sleeping with his feet up on the table and his mouth wide open snoring loudly.
Lady SQLi, is the young irresistibly attractive lady who walks into that reception room and batters her eyelids as asks if she could be let into a meeting room; or use the phone, the restroom or any other facility within the building. Despite having no ID or anyone to verify her identity, the big old database seems happy just to be noticed and is like putty in her hands.
There’s a lesson in there somewhere – I’m just not sure what it is.