CISA and the FBI urged executives of technology manufacturing companies to prompt formal reviews of their organizations’ software and implement mitigations to eliminate SQL injection security vulnerabilities before shipping.
In SQL injection attacks, threat actors “Inject” maliciously crafted SQL queries into input fields or parameters used in database queries, exploiting vulnerabilities in the application’s security to execute unintended SQL commands, such as exfiltrating, manipulating, or deleting sensitive data stored in the database.
CISA and the FBI advise the use of parameterized queries with prepared statements to prevent SQL injection vulnerabilities.
SQLi vulnerabilities took the third spot in MITRE’s top 25 most dangerous weaknesses plaguing software between 2021 and 2022, only surpassed by out-of-bounds writes and cross-site scripting.
“If they discover their code has vulnerabilities, senior executives should ensure their organizations’ software developers immediately begin implementing mitigations to eliminate this entire class of defect from all current and future software products,” CISA and the FBI said [PDF].
“Vulnerabilities like SQLi have been considered by others an ‘unforgivable’ vulnerability since at least 2007. Despite this finding, SQL vulnerabilities are still a prevalent class of vulnerability.”
