API8: Injection☝️ — What you need to know

What is Injection?

  • When we don’t sanitize the input from the front-end we are opening ourselves to a world of problems, this would allow the user to input anything which could intervene with later processes.
  • The same goes for validation and verification of the API’s request, these have to be done before the data enters any kind of processes, this is where it could start causing problems for example on the login calls, make sure the API is validating, verifying and sanitizing any input.
  • Make sure that you pay attention to not just the input from the user directly, this can also come from 3rd party services or file uploads for example.
  • Take into account there might be processes such as batch jobs running that could trip over the data.‍

Example Attack Scenarios

name,address,email,phone
',',','
name,address,email,phone
';select * from users;--,',','
index.php?osParam=\\nping -c 10 127.0.0.1

Preventive measures against Injection vulnerabilities?

  • We need to treat any input as being compromised and we should filter, validate and verify every input to our API through all ways, this includes third party inputs or non-direct inputs such as importing files.
  • We have to make sure to create 1 system that will be able to perform these steps and that we implement and use that same system across all of our endpoints.
  • Preferably use a well known library that has been tested instead of creating your own.
  • We have to take care in filtering special characters, often the language we use has a specific syntax and way to handle these special characters and it’s advised to implement that syntax.
  • Whener multiple records are being selected, limit the number of records per query to avoid mass disclosure.
  • Preferably use a specification that specifies how the API works such as OpenAPI and that you only allow requests that match the filters, verification and validation rules.
  • Define what the API can expect for all the string endpoints and in terms of variable types.
$id = $row['id']; 
$title = $row['title'];
$des = $row['description'];
$time = $row['date'];
$id = htmlentities($row['id']); 
$title = htmlentities($row['title']);
$des = htmlentities($row['description']);
$time = htmlentities($row['date']);

Conclusion

--

--

--

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Metakingdom Technology

The Contract of the Model-View-Intent Architecture

Constellix offers a new revolutionary suite of services to provide superior monitoring and optimize…

Earn $3000 Monthly with Python

Install cert-manager to setup SSL with Let’s Encrypt and Cloudflare DNS with automatic renewal…

Azure Front Door — Fun with Custom Domains, Authentication, WAFs and Load Balancing

Docker Compose :From local to AMAZON ECS

NSQ Consumer 101

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ivan Novikov

Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

More from Medium

Fixing the Log4j vulnerabilities for FileMaker Server

Log4j and Claris FileMaker Server logos

#6 NETWORK MEDIA TYPES: THE NETWORKING SERIES

What is a Botnet ❓ Definition, Types, Example Attack

Integrity & Validation In Mobile Spyware & Malware Research