FBI and CISA say it’s time to delete SQL injection flaws for good

Application security testing concept image showing magnifying glass highlighting SQL injection flaws and software bugs.
(Image credit: Getty Images)

Tech companies continue to produce software at risk of SQL injection flaws, even though the issue – and how to prevent it – has been known about for years, according to a warning from CISA and the FBI.

SQL injection - or SQLi - vulnerabilities are still a common class of flaws in software, despite widespread knowledge of the problem over the last two decades, along with ways to deal with it, the agencies said.

“Software manufacturers have continued to develop products with this defect, which puts many customers at risk,” the alert said.

CISA and the FBI said they issued the alert in response to a recent campaign which saw attackers exploiting SQLi defects in a managed file transfer application to target and compromise users, which impacted thousands of organizations.

Last year, the CL0P ransomware gang exploited a previously unknown SQL injection vulnerability in Progress Software's managed file transfer software known as MOVEit Transfer.

Internet-facing MOVEit Transfer web applications were infected with a web shell, which was then used to steal data from underlying MOVEit Transfer databases, with high profile organizations falling victim including the BBC and US federal agencies.

The agencies said senior executives at tech companies should carry out a formal review of their code to find out whether it is susceptible to SQLi flaws. They added that customers should also ask their vendors whether they have conducted such a review.

If execs find their code has these vulnerabilities, software developers should immediately begin working on mitigations to eliminate the flaws from all current and future software products, they said.

Vulnerabilities such SQLi have been considered as ‘unforgivable’ as long ago as 2007, CISA noted. But despite this, they are still a common class of vulnerability. For example, CWE-89 is on top 25 lists for both the most dangerous and stubborn software weaknesses in 2023 - ranked at number three in both.

How are SQL injection flaws exploited?

SQL injection vulnerabilities involve the inserting user-supplied input directly into a SQL command. 

The listing for CWE-89 explains the problem as when data from a user can be used to deliberately alter the query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands.

“SQL injection has become a common issue with database-driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or product package with even a minimal user base is likely to be subject to an attempted attack of this kind. This flaw depends on the fact that SQL makes no real distinction between the control and data planes,” it notes.

The alert from the FBI and CISA is more strident in its tone.

“SQLi vulnerabilities are caused by software developers’ inattention to security best practices, resulting in the co-mingling of database queries and user-supplied data,” it said.

“Specifically, SQLi vulnerabilities can allow malicious cyber actors to steal sensitive information, tamper with, delete, or render information unavailable in a database. SQL injections succeed because software developers fail to treat user-supplied content as potentially malicious.”

How to mitigate SQL injection flaws

To prevent SQL Injections, developers should use parameterized queries with prepared statements to separate SQL code from user-supplied data, according to CISA.

RELATED WHITEPAPER

This means the system treats user input as data and not executable code, eliminating the risk that any malicious user input could be understood as an SQL statement.

“Software manufacturers should systematically eliminate SQLi vulnerabilities by enforcing the use of parameterized queries across their applications,” the agencies said.

They noted that some developers try to use ‘input sanitization techniques’ to prevent SQLi vulnerabilities. While this can stop some attacks “those techniques are brittle, difficult to enforce at scale, and frequently can be bypassed”.

CISA and the FBI said tech companies should follow three principles when it comes to software development. 

These include: 

Take ownership of customer security

Software companies should provide safe building blocks for their software developers “to ensure that a single developer error does not compromise data of millions of users.” 

They should offer prepared statements with parameterized queries as a standard practice in software development.

Similarly, the advisory said they should enforce this via development libraries that make the secure route the default one for developers and checks at the time of pull requests.

Be transparent about CVEs and CWEs

Software companies should track the classes of vulnerability associated with their software and disclose them to their customers via the Common Vulnerabilities and Exposures (CVE) program. 

Manufacturers should ensure that their CVE records are correct and complete, and should supply accurate common weakness enumerations (CWE) – which refer to broader potential weaknesses - so the industry can track classes of software defect.

“They should also identify and document the root causes of those vulnerabilities and declare it a business goal to work toward eliminating entire classes of vulnerability,” the agencies said.

Look at the bigger picture

While software execs will care about cost, features, and customer experience, they should also prioritize the security of their products, the agencies said. 

“Customers, our economy, and our national security are currently bearing the brunt of business decisions to not build security into their products,” they said.

The advisory added that software execs should focus heavily on “directing the business toward secure by design software development”.

These design principles will ultimately help reduce “financial and productivity costs as well as complexity”.

Steve Ranger

Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.