Hackers Continue to Abuse Easily Preventable Vulnerability to Cause Massive Damage
What will it take to rid the world of SQL injection vulnerabilities, which remain too easily exploitable by attackers for ransacking databases and worse?
“Vulnerabilities like SQLi have been considered by others an ‘unforgivable’ vulnerability since at least 2007,” according to a new “Secure by Design” alert issued by the U.S. Cybersecurity and Infrastructure Security Agency and the FBI.
Things haven’t gotten any better in the intervening 17 years. The Open Worldwide Application Security Project regularly places SQL injection at or near the top of its list of top 10 vulnerabilities. MITRE classifies the flaw as one of the most dangerous and stubborn to afflict codebases.
Enter the alert from U.S. government cybersecurity officials calling on senior executives across corporate America to launch an SQL injection vulnerability extinction program. This involves implementing processes designed to constantly review code bases for signs of such flaws and to eradicate them via secure by design development practices.
For the uninitiated, SQL injection – malicious insertion – vulnerabilities risk causing a “high-impact severity” because they “allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server,” OWASP said.
They’re bad news and always have been. “The severity of SQL injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server,” OWASP said.
Effective techniques for blocking SQL injection attacks have been on hand for two decades, including “prepared statements, which are also known as parameterized queries and have been a feature of MySQL since 2004.
CISA and the FBI strongly recommend that senior executives mandate and enforce the use of prepared statements as “a standard practice in software development.”
This secure by design approach separates user input from database commands and prevents user input from being treated as executable code. OWASP says that as defenses go, it’s the single most effective way to combat SQL injection – provided it’s done server-side rather than client-side.
“If database queries use this coding style, the database will always distinguish between code and data, regardless of what user input is supplied,” according to a cheat sheet from OWASP. “Also, prepared statements ensure that an attacker is not able to change the intent of a query, even if SQL commands are inserted by an attacker.”
The U.S. government’s call to action comes as SQL injection attacks continue to cause untold amounts of damage.
Take just one SQL injection attack of late: the zero-day vulnerability in MOVEit secure file transfer software exploited en masse by the Clop ransomware group last May. More than 2,770 organizations and personal details for 95 million individuals have been directly or indirectly affected by the campaign, according to cybersecurity firm Emsisoft’s latest count.
Clop’s campaign represented only a very small fraction of the SQL injection attacks logged last year. Security experts continue to track numerous nation-state hacking teams, ransomware operations and other cybercrime groups that regularly seek to identify and exploit SQL injection flaws.
One challenge is that defense in depth against SQL injection attacks involves more than securing databases. “In modern computing, SQL injection typically occurs over the internet by sending malicious SQL queries to an API endpoint provided by a website or service,” Cloudflare said.
Another challenge is that attackers can tap a variety of automated tools to facilitate such attacks. These tools “allow a malicious actor to automatically search through a website looking for forms, and then attempt to input various SQL queries that may generate a response that the website’s software developers did not intend in order to exploit the database,” Cloudflare said. “A single vulnerable field on any form or API endpoint across a website that has access to a database may be sufficient to expose a vulnerability.”
Of course, there’s nothing to stop development groups and red teams from using such tools internally, to search and destroy these flaw before attackers. That remains a major impetus for secure by design practices: Don’t make life easy for attackers.
As the continuing prevalence of SQL injection vulnerabilities demonstrates, we still have a long way to go.