Introduction
API's with the following properties are open to injection flaws:
I can also draw from experience on this vulnerability type as I have and reported on it often. The form I prefer is SQL injections via the import feature and OS command injection from an unexpected source. Let's start with the SQLi.
I found this issue while doing bug bounties on a private program and it happened because the developers did sanitise all the direct input very well, except they did not think to include the import functionality because the base of the application was built a year prior to building the import functionality.
Upload.csv looked like this:
And while uploading i selected the comma as field separator, this displayed a SQL error and from there on i dug in deeper.
The error was:
Expects parameter 1 to be string, null given in /var/www/html/import.php
This made me close the query and start a new one of my own
This made the application dump the entire users table in an error message, that was enough for me to report this issue and collect my bounty.
The second example i have is a little bit less complicated, i noticed a parameter literally called "osParam" which seemed to have some flags in it, i rushed to start up burp suite intruder with a list of command injections i had prepared before and had a hit on the 9th request that burp suite made. The command separate was a newline character '\n' and my ping command delayed the response.
So I quickly tried a whoami, reported the result and awaited approval which cames 2 days later.
An example in php which is badly implemented and leaves the app open for things such as XSS
This is how it's supposed to be done
This issue type is diverse and not always easy to automatically test, we have to keep a good overview of every endpoint, including the ones that are less obvious. Manual testing is still advised to complement the automated tests in areas where an automated test is falling short.
Taking every endpoint into account can be quite confusing as it includes finding all the hidden parameters as well. New API endpoints should already be added to the documentation and old endpoints should be indexed whenever possible. This problem can be solved by API Security Company.
According to statistics, we think that this vulnerability will be in the first place in the OWASP Top 10 in 2021.
Watch the video:
Subscribe for the latest news