For more than a decade, injection vulnerabilities have literally topped the charts of critically dangerous software flaws, deemed more serious than all other types of vulnerabilities in the 2010, 2013, and 2017 Top-10 lists maintained by the Open Web Application Security Project.

Still, the warnings have failed to weed out the issues. Last year, the Cl0p group stole data from companies using a previously unknown SQL injection vulnerability in MoveIT’s file-transfer application. In late March, the Cybersecurity and Infrastructure Security Agency (CISA) called for companies to redouble their efforts to eliminate the security issue, which application-security experts consider one of 13 different ‘unforgivable’ classes of vulnerabilities that programmers should catch during development.

“Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers continue to develop products with this defect, which puts many customers at risk,” the agency stated in its March 25 advisory. “Vulnerabilities like SQLi have been considered by others an ‘unforgivable’ vulnerability since at least 2007.”

The root of injection vulnerabilities is a lack of input sanitization, when the application receives variable input, there’s always the risk of that input being tainted, says Randall Degges, head of developer relations at application-security firm Snyk.

“Although this has been an issue since programming existed, the reason it’s still in the top-10 vulnerabilities after all this time is because there are an infinite number of ways to use input and often time sanitizing input is tricky,” he says.

For software developers looking to nix this particular issue, here’s how.

1. Educate Yourself and Others

The first step is always education. OWASP has a cheat sheet on SQL injection, how to detect the vulnerability, and ways of creating safe code. Some web-application frameworks aim to educate developers while they are programming, using APIs names to make the risk of some functions clear, such as React’s ‘dangerouslySetInnerHTML’ function, says James Kettle, director of research at PortSwigger, an application-security testing firm.

In addition, developers should not necessarily trust the makers of open-source software — especially components that have not been well vetted — to use safe code, and online tutorials are often unsafe as well, he says.

“I think the core issue is that there’s a lot of unsafe APIs, where anyone using the API is vulnerable by default,” Kettle says. “Even when there are more modern secure APIs available, fresh code is written using the unsafe versions thanks to old unsafe examples in StackOverflow .”

2. Harden the DevOps Pipeline Using Automated Tools

Developers should implement unit tests to check code for SQL injection flaws — and other common security issues — during development, add static application security testing both prior to and after commits, and include scans for SQL injection as part of dynamic application security testing.

Unit tests can be added using frameworks such as tSQLt for testing Microsoft SQL Server, pgTAP for testing applications that use PostgreSQL, and Pytest and SQLAlchemy for unit testing in Python programs. A variety of SQL unit testing best practices should be followed to make the tests more useful, such as isolating the SQL tests from dependencies and descriptive naming of the tests.

In addition to automated tests in the development pipeline, developers should make sure to use SQL frameworks, such as SQLAlchemy, because many security improvements are already baked in, says Snyk’s Degges.

“Pretty much all modern SQL frameworks and tools provide convenience methods to help with this nowadays, so your best bet is to thoroughly read through the relevant framework documentation to ensure you’re using it correctly when building queries,” he says.

3. Play Around with SQLMap

The open-source program SQLMap is a great tool for penetration testers to experiment with SQL injection, exploit any potential vulnerabilities, and dump a database to prove that the vulnerability can be exploited. The tool can also educate application developers to the true dangers of SQL injection and how vulnerable code can be exploited.

However, the tool is not necessarily the best way to scan for potential vulnerabilities, says Portswigger’s Kettle.

“In my experience the detection capabilities are slow, heavyweight, and prone to false positives,” Kettle says. “Also, it can’t explore websites to find attack surface, which is one of the biggest challenges for finding these vulnerabilities automatically.”

4. Consider a DAST Service

Automating SQL injection scanning using Dynamic Application Security Testing (DAST) as part of the quality assurance stage — and even earlier in the DevOps pipeline, if possible — can help catch any overlooked vulnerabilities. In addition, DAST scanning is a good way to find SQL injection in legacy code.

While web application firewalls (WAFs) can prevent SQL injection attacks from reaching an application, they should only be used as part of a defense-in-depth strategy and not relied upon, says Kettle.

“Personally, I’ve seen runtime protection like WAFs bypassed so many times that I don’t have much confidence in them,” he says. “I would recommend a bug bounty program as an effective way to surface undetected vulnerabilities instead, and use WAFs as a last resort for systems that are in such a bad state that known vulnerabilities can’t be patched.”

5. Expand Beyond SQL

Finally, companies should also look for other types of injection vulnerabilities and make sure their developers recognize risky patterns, as SQL injection is only one class of injection vulnerabilities.

OWASP broaden the definition of an injection vulnerability to be any software flaw where user-supplied data is not validated or sanitized by an application and then sent to an interpreter. Cross-site scripting, SQL, operating-systems scripting, and parsing the Lightweight Directory Access Protocol (LDAP) are all areas that can be vulnerable to injection.

With the advent of AI models, for instance, prompt injection is the latest form of an injection attack.

Source

About Author

Dark Reading

See author's posts

Tags:

Related News

Officials worry Salt Typhoon apathy is killing momentum for tougher telecom security rules

March 12, 2026

Securing Airline Public Wi-Fi: Stop Threats With Protective DNS

March 2, 2026

You may have missed

Iranian hackers, Handala, claim to compromise FBI Director Kash Patel’s personal data

March 27, 2026

Security leaders say the next two years are going to be ‘insane’

March 27, 2026

ODNI tackles AI, threat hunting, app cybersecurity in year-one tech review

March 26, 2026

FCC pushes new rules to crack down on robocallers, foreign call centers

March 26, 2026

Former NSA chiefs worry American offensive edge in cybersecurity is slipping

March 26, 2026

No Reach, No Risk: The Keitaro Abuse in Modern Cybercrime Distribution

March 26, 2026
WordPress Appliance - Powered by TurnKey Linux