Despite being well-documented for some time now, and considered an “unforgivable” mishap, SQL Injection (SQLi) vulnerabilities remain “a persistent class of defect in commercial software products,” a new report from the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) has declared.
In the paper, the two US government agencies are urging commercial software builders to “mount a formal review of their code” to establish whether or not it is susceptible to SQLi.
Users are advised to push their vendors to run such reviews.
Bypassing 2FA
“If they discover their code has vulnerabilities, senior executives should ensure their organizations’ software developers immediately begin implementing mitigations to eliminate this entire class of defect from all current and future software products,” the two firms said.
SQL injection is a type of attack in which a hacker can “inject” malicious queries into an SQL command, resulting in the execution of arbitrary queries. As a result, threat actors could access sensitive data, and even take over vulnerable systems.
This type of vulnerability stems from the “co-mingling of database queries and user-supplied data,” the two organizations explained. To mitigate the threat, organizations should use parameterized queries with prepared statements, as this approach separates SQL code from user data.
SQLi vulnerabilities were the third most dangerous software vulnerability between 2021 and 2022 according to MITRE, BleepingComputer reported in its writeup.
"Incorporating this mitigation at the outset—beginning in the design phase and continuing through development, release, and updates—reduces the burden of cybersecurity on customers and risk to the public."
CISA and the FBI said they released Secure by Design Alert “in response to a recent well-publicized malicious threat actor campaign that exploited SQLi defects in a managed file transfer application to target and compromise users of that application—impacting thousands of organizations,” referring to last year’s Cl0p campaign that started with a vulnerability in MOVEit.
More from TechRadar Pro
- Comcast Xfinity accounts are being attacked in 2FA bypass attacks
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now