API8:2019 Injection - OWASP API Security Top 10
Learn about API8:2019 Injection, a common OWASP API Security Top 10 vulnerability where attackers exploit APIs with injected malicious data, causing information disclosure, data loss, or even complete host takeover.
Overview
API8:2019 Injection is one of the OWASP API Security Top 10 vulnerabilities. Injection flaws are very common and are often found in SQL, LDAP, or NoSQL queries, OS commands, XML parsers, and ORM. This vulnerability occurs when attackers feed malicious data through injection vectors, expecting it to be sent to an interpreter. Injection can lead to information disclosure, data loss, DoS, or complete host takeover.
Description
API8:2019 Injection is a vulnerability that allows attackers to exploit the API by injecting malicious data through various vectors. This vulnerability is prevalent and easily discoverable when reviewing the source code. Attackers can use scanners and fuzzers to exploit injection flaws. Injection can have severe impacts such as information disclosure, data loss, denial of service, or complete host takeover. This vulnerability occurs when client-supplied data is not properly validated, filtered, or sanitized by the API or when data from external systems is not validated before use.
How to Prevent ?
To prevent injection vulnerabilities, it is important to keep data separate from commands and queries. The following prevention measures can be implemented: 1. Perform data validation using a single, trustworthy, and actively maintained library. 2. Validate, filter, and sanitize all client-provided data and data from integrated systems. 3. Escape special characters using the specific syntax for the target interpreter. 4. Use a safe API that provides a parameterized interface. 5. Limit the number of returned records to prevent mass disclosure. 6. Implement sufficient filters to validate incoming data and only allow valid values for each input parameter. 7. Define data types and strict patterns for all string parameters.
Example Attack Scenarios:
Scenario #1: Firmware Injection: In this scenario, an attacker exploits an injection vulnerability in the firmware of a parental control device. By passing malicious data through the appId parameter, the attacker can trigger a system call that shuts down any device with the vulnerable firmware.
Scenario #2: NoSQL Injection: In this scenario, an attacker identifies a NoSQL injection vulnerability in an application with CRUD functionality for bookings. By manipulating the bookingId parameter in a delete booking request, the attacker can delete another user's booking.