FBI, H-ISAC TLP Clear Secure by Design Alert: Eliminating SQL Injection Vulnerabilities in Software

SQL injection—or SQLi—vulnerabilities remain a persistent class of defect in commercial software products.¹ Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers have continued to develop products with this defect, which puts many customers at risk.2 CISA and the FBI are releasing this Secure by Design Alert in response to a recent well-publicized malicious threat actor campaign that exploited SQLi defects in a managed file transfer application to target and compromise users of that application—impacting thousands of organizations. CISA and the FBI urge senior executives at technology manufacturers to mount a formal review of their code to determine its susceptibility to SQLi compromises and encourage all technology customers to ask their vendors whether they have conducted such a review. If they discover their code has vulnerabilities, senior executives should ensure their organizations’ software developers immediately begin implementing mitigations to eliminate this entire class of defect from all current and future software products^.3 Building security into products from the beginning can eliminate SQLi vulnerabilities.

View the detailed report below. 

^__________

^{1 OWASP Foundation. “SQL Injection.” n.d. https://owasp.org/www-community/attacks/SQL_Injection .
2 In 2004, MySQL introduced a technique called “prepared statements” that separate database commands from untrustworthy data, thereby eliminating SQL injection vulnerabilities. See: MySQL. "Changes in release 4.1.3 (28 Jun 2004: Beta).” June 28, 2004. https://web.archive.org/web/20060422175612/http://dev.mysql.com/doc/refman/4.1/en/news-4-1-3.html. 
3 OWASP Foundation. “SQL Injection Prevention Cheat Sheet.” n.d. https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html.}