API8:2019 — Injection
Attackers construct API calls that include SQL, NoSQL, LDAP, OS, or other commands that the API or the backend behind it blindly executes.
- Attackers send malicious input to be forwarded to an internal interpreter:
- OS commands
- XML parsers
- Object-Relational Mapping (ORM)
How to prevent
- Never trust your API consumers, even if they are internal.
- Strictly define all input data, such as schemas, types, and string patterns, and enforce them at runtime.
- Validate, filter, and sanitize all incoming data.
- Define, limit, and enforce API outputs to prevent data leaks.