>> I'm still waiting for a real world example.
> You don't say? Took me one google search to find examples.
One such search gives results here:
http://tinyurl.com/y9ad3pv
But don't all of these examples arise from IMproperly-written code. Can there be examples of the vulnerabilities of properly-written code? It seems like properly-written code is by definition immune from insertion attacks. Why is that? Because properly-written code observes Rule #1:
Never trust user input.
We accept that Rule #1 applies to every application, written in whatever language (or framework, like HTML), that accepts user input. IOW it's the application that's deficient, not the language. No big news to the OP or anyone else.
Don't we also know the elementary, vanilla ways to defend against insertion attacks, to make user input trustworthy:
1. apply a whitelist; and
2. escape everything.
So: are there attacks that defeat these two methods? With examples, natch :-)
-- pete