Critical Severity | OWASP API Top 10
🔴 API Injection (SQLi, NoSQLi, Command)
🧠 Description
APIs don't sanitize user input properly, allowing injection of SQL, NoSQL, OS, or LDAP commands. Attackers can manipulate queries to access unauthorized data or execute commands.
Impact: Data Exfiltration, RCE, System Compromise, Database Dump
🎯 Attack Surface
- Query parameters
- JSON body fields
- HTTP headers
- URL path segments
- File upload filenames
💣 Injection Payloads
' OR '1'='1
admin'--
{"username": {"$ne": ""}}
; whoami
$(whoami)
' UNION SELECT * FROM users--
🛡️ Mitigation
✅ Use parameterized queries/prepared statements
✅ Validate and sanitize all input
✅ Use ORM with proper escaping
✅ Implement least privilege database accounts
✅ Validate and sanitize all input
✅ Use ORM with proper escaping
✅ Implement least privilege database accounts