API A8 - Injection
What is it?
Attackers construct API calls that include SQL, NoSQL, OS, or other commands, that the API or the backend behind it blindly executes. Essentially this vulnerability arises from passing unsanitized user input directly to database queries or OS command interpreters.
What are the common types of injection for APIs?
References
Test case FAQs
When is this test case applicable?
Applies to all API endpoints that consume user supplied input
How does it work?
The input parameter(s) within the API endpoint, are injected with malicious data (injection strings). The malicious data tries to trick the API's backend query interpreter, to execute unauthorized commands, which cause leakage of sensitive data, or even a complete denial of service.
What is the solution?
- Strictly define all API input data, such as schemas, types, and string patterns, and enforce them at runtime.
- Validate, filter, and sanitize all incoming data.
- Define, limit, and enforce API outputs to prevent data leaks.