OWASP API Security - Injection Attacks

⚠️ Educational Purpose Only

This content is for educational and authorized security testing purposes only. Unauthorized access to systems is illegal and unethical.

Introduction to Injection Attacks

Injection attacks represent one of the most critical security vulnerabilities in modern web applications and APIs. According to OWASP (Open Web Application Security Project), injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

What is API Injection?

API injection vulnerabilities occur when an application accepts untrusted input and incorporates it directly into dynamic queries, commands, or code without proper validation or sanitization. This allows attackers to manipulate the application's logic, access unauthorized data, or even compromise the entire system.

SQL Injection - A Practical Example

Vulnerable Login Scenario

Consider a basic web application with a login page that accepts a username and password. The application constructs an SQL query to authenticate users:

Normal SQL Query:

SELECT * FROM users WHERE username = 'john_doe' AND password = 'secure123'

Injected SQL Query:

SELECT * FROM users WHERE username = 'admin' AND password = '' OR 1=1 --'

What happens: The injected query always returns true because 1=1 is always true, and the -- comments out the rest of the query. This bypasses authentication entirely!

Attack Flow Diagram

1. User Input
Username: admin
Password: ' OR 1=1 --

→

2. Query Construction
Vulnerable concatenation

→

3. SQL Execution
Always returns true

→

4. Unauthorized Access
Login successful!

Common SQL Injection Payloads

' OR '1'='1

' OR 1=1 --

admin' --

' OR 'a'='a

') OR ('1'='1

Types of Injection Attacks

Injection vulnerabilities extend far beyond SQL. Modern applications are susceptible to various injection types, each exploiting different interpreters and systems:

🗄️ SQL Injection

Manipulates SQL queries to access or modify database data, bypass authentication, or execute administrative operations.

⚡ NoSQL Injection

Targets NoSQL databases like MongoDB, exploiting JSON-based queries to bypass authentication or extract data.

🌐 LDAP Injection

Exploits LDAP queries used for directory services authentication and authorization, potentially granting unauthorized access.

⚙️ OS Command Injection

Executes arbitrary operating system commands on the server, potentially leading to complete system compromise.

🔗 XML Injection

Manipulates XML parsers to access unauthorized data, perform denial of service, or execute remote code.

💉 XSS (Cross-Site Scripting)

Injects malicious scripts into web pages viewed by other users, stealing cookies, session tokens, or sensitive information.

📊 CSV Injection

Injects formulas into CSV exports that execute when opened in spreadsheet applications, potentially compromising user systems.

📝 JSON Injection

Manipulates JSON data structures in APIs to alter application logic or access unauthorized information.

🔧 Template Injection

Exploits template engines to execute arbitrary code on the server through malicious template syntax.

Testing for SQL Injection

Manual Testing Techniques

Security professionals use various techniques to identify SQL injection vulnerabilities:

1. Single Quote Test

Insert a single quote (') into input fields to check if it causes an error:

username: admin'

If the application returns an SQL error, it's likely vulnerable.

2. Boolean-Based Testing

Use logical conditions to determine if injection is possible:

username: admin' AND '1'='1

username: admin' AND '1'='2

Compare responses to identify differences in application behavior.

3. Time-Based Blind Testing

Use time delay functions to confirm injection without visible errors:

username: admin' AND SLEEP(5) --

If the response is delayed by 5 seconds, injection is confirmed.

Automated Testing Tools

Professional security testers use specialized tools to identify injection vulnerabilities:

sqlmap -u "http://target.com/login" --forms --batch --risk=3 --level=5

burpsuite --intruder --payload-list=sql_injection.txt

owasp-zap -quickurl http://target.com -quickout report.html

NoSQL Injection Example

NoSQL databases like MongoDB are also vulnerable to injection attacks:

Vulnerable MongoDB Query:

db.users.find({ username: req.body.username, password: req.body.password })

Attack Payload (JSON):

                    {
                    "username": "admin",
                    "password": { "$ne": null }
                    }
                

Result: The $ne (not equal) operator returns all users where password is not null, effectively bypassing authentication.

OS Command Injection Example

Command injection allows attackers to execute arbitrary system commands:

Vulnerable Code:

system("ping -c 4 " + userInput)

Attack Payload:

127.0.0.1; cat /etc/passwd

127.0.0.1 && whoami

127.0.0.1 | ls -la

Result: Additional commands are executed on the server, potentially exposing sensitive files or system information.

LDAP Injection Example

LDAP injection targets directory services:

Normal LDAP Query:

(&(username=john)(password=secret))

Injected LDAP Query:

username: *)(|(password=*

(&(username=*)(|(password=*)(password=secret))

Result: The query is manipulated to return all users regardless of password.

Prevention Strategies

1. Use Parameterized Queries (Prepared Statements)

                // Vulnerable Code
                query = "SELECT * FROM users WHERE username = '" + username + "'"

                // Secure Code (Parameterized)
                query = "SELECT * FROM users WHERE username = ?"
                preparedStatement.setString(1, username)
            

2. Input Validation and Sanitization

                // Whitelist allowed characters
                function validateUsername(username) {
                const regex = /^[a-zA-Z0-9_]{3,20}$/;
                return regex.test(username);
                }

                // Sanitize special characters
                function sanitizeInput(input) {
                return input.replace(/[^\w\s]/gi, '');
                }
            

3. Use ORM/ODM Frameworks

                // Using an ORM like Sequelize
                User.findOne({
                where: {
                username: username,
                password: hashedPassword
                }
                })
            

4. Implement Least Privilege Principle

GRANT SELECT, INSERT ON database.users TO 'webapp'@'localhost';

Limit database user permissions to only what's necessary for the application.

5. Web Application Firewall (WAF)

Configure WAF rules to detect and block injection attempts

Monitor logs for suspicious patterns like OR 1=1, UNION SELECT, etc.

6. Error Handling

                // Don't expose database errors to users
                try {
                // Database operation
                } catch (error) {
                console.error(error); // Log internally
                return "An error occurred. Please try again."; // Generic message
                }
            

Security Testing Checklist

Identify all input points: Forms, URL parameters, headers, cookies, API endpoints
Test each input with injection payloads: SQL, NoSQL, LDAP, command injection
Analyze application responses: Error messages, behavior changes, time delays
Test authentication bypass: Login forms, password reset, account recovery
Check data extraction: UNION-based, error-based, blind injection techniques
Test privilege escalation: Access to admin functions, other user data
Document findings: Vulnerable parameters, payloads used, impact assessment
Verify fixes: Retest after remediation to confirm vulnerability is resolved

Advanced Attack Vectors

Union-Based SQL Injection

admin' UNION SELECT username, password, email FROM users --

Extract data from other tables by appending UNION queries.

Blind SQL Injection

admin' AND (SELECT COUNT(*) FROM users) > 10 --

Extract data bit by bit when no visible output is returned.

Second-Order Injection

Malicious data is stored in the database and later executed when retrieved and used in another query without proper sanitization.

Real-World Impact

Consequences of Injection Attacks:

Data Breach: Unauthorized access to sensitive customer data, financial records, personal information
Authentication Bypass: Gaining administrative access without valid credentials
Data Manipulation: Modifying, deleting, or corrupting database records
System Compromise: Executing OS commands leading to full server control
Denial of Service: Crashing applications or databases through malicious queries
Reputation Damage: Loss of customer trust and business credibility
Legal Consequences: Regulatory fines, lawsuits, compliance violations

Additional Resources

🔗 Recommended Learning Resources:

OWASP Top 10: Official guide to the most critical web application security risks
PortSwigger Web Security Academy: Free interactive labs for practicing injection attacks
HackTheBox / TryHackMe: Hands-on platforms for ethical hacking practice
OWASP Juice Shop: Intentionally vulnerable web application for security training
SQLMap Documentation: Comprehensive guide to automated SQL injection testing

Conclusion

Injection attacks remain one of the most prevalent and dangerous security vulnerabilities in modern web applications and APIs. Understanding how these attacks work, their various forms, and proper prevention techniques is essential for developers, security professionals, and anyone involved in web application development.

The key takeaway is that never trust user input. Always validate, sanitize, and use parameterized queries or prepared statements. Implement defense-in-depth strategies combining multiple security layers, and regularly test your applications for vulnerabilities.

Remember, security is not a one-time effort but an ongoing process. Stay updated with the latest attack techniques and security best practices to protect your applications and users effectively.