Cyberthreat alert

SQL Injection Persists as Web Security Vulnerability, CISA-FBI Advisory Warns

A joint alert from the Cybersecurity and Infrastructure Security Agency and the FBI urged technology manufacturers to conduct formal evaluations of their software products to eliminate security weaknesses arising from structured query language injection.

The agencies released the advisory, “Secure by Design Alert, Eliminating SQL Injection Vulnerabilities in Software,” following a recent SQLi attack on a managed file transfer application that hit thousands of organizations. Many customers remain at risk from the vulnerabilities despite the extensive SQLi documentation and accessibility of mitigation methods, CISA said Monday.

The advisory pointed out that threat actors initiate SQLi attacks by inserting maliciously crafted structured SQL into database parameters. The injection can enable the execution of unintended SQL commands, including exfiltration, manipulation or deletion of stored data.

One way for software developers to prevent SQLi exploitation is through the use of parameterized queries with statements designed to separate user-supplied data from the SQL code, according to the advisory. It also encouraged manufacturers’ transparency in product vulnerability disclosures to customers through the CVE program.