In late 1998, when I was just beginning my career in technology, I read in the venerable Phrack magazine how poor input sanitization allowed rain.forest.puppy (the pseudonym used by Jeff Forristal) to pass SQL query strings directly to the back-end database of a Web application.
It’s an unfortunate reality that a quarter of a century later, SQL injection — among the lowest hanging of security fruit — is still included in the Open Worldwide Application Security Project (OWASP) Top 10 list of security vulnerabilities. One of the worst attacks ever occurred back in 2008, when Heartland Payment Systems was breached and more than 130 million credit and debit card numbers were compromised. In 2023, the Cl0p ransomware group exploited previously unknown SQL injection vulnerabilities in MOVEit, Progress Software’s file transfer program, and compromised hundreds of victims as part of a supply chain attack.
We do not have insight into Progress Software’s software development life cycle or security practices to ascertain what happened. While a vulnerability assessment system or even a bug hunting program could have potentially identified SQL injection flaws in the code before it was exploited, focusing on producing code that is secure by construction is an even better way to address this class of vulnerability.
Leave a reply