Notes
  • Welcome!
  • Windows Shells
    • Introduction
    • Command Prompt
      • Basics
      • Host Enumeration
      • Files & Directories
      • Environment Variables
      • Managing Services
      • Scheduled Tasks
      • Help
    • PowerShell
      • PowerShell vs. CMD
      • Basics
      • CmdLets & Modules
      • User & Group Management
      • Files & Dirs
      • Finding & Filtering
      • Services
      • Registry
      • Windows Event Log
      • Networking Management
      • Web Interaction
      • Scripting
      • Help
  • Windows
    • Commands
    • NTFS
  • APISEC
    • API Testing
      • Recon
      • Endpoint Analysis
      • Finding Security Misconfigurations
      • Authentication Attacks
      • Exploiting API Authorization
        • BOLA
        • BFLA
      • Improper Assets Management
      • Mass Assignment Attacks
      • SSRF
      • Injection Attacks
      • Evasion & Chaining
    • API Authentication
      • Authentication Types
      • OAuth Actors
      • OAuth Interaction Patterns
      • JSON Web Tokens
      • Claims
      • APIs & Gateways
  • PostSwigger
    • Web LLM Attacks
      • Overview
      • Exploiting LLM APIs, function, & Plugins
      • Indirect Prompt Injection
      • Leaking Sensitive Data
      • Defending Against LLM Attacks
    • JWT Attacks
      • JWTs
      • Attacks
        • Flawed Signature Verfication
        • Brute-forcing Secret Keys
        • JWT Header Parameter Injections
        • Algorithm Confusion
      • Prevention
    • OAuth
      • General Information
      • Exploiting OAuth Authentication Flaws
        • Flaws in Client Application
        • Flaws in the OAuth Service
      • OpenID
  • Red Teaming LLM Applications
    • LLM Vulnerabilities
    • Red Teaming LLMs
    • Red Teaming at Scale
    • Red Teaming LLMs with LLMs
    • Red Teaming Assessment
  • Fin
    • Course 1: Basics
      • Stocks
        • General Information
        • Shares
        • Stock Basics
      • Bonds
        • General Information
        • Components
        • Valuation
      • Markets
        • What is the Stock Market
        • What is the FED
    • Course 2: Stock Investing
  • Other
    • Learning Resources
Powered by GitBook
On this page
  • Injection Types
  • SQLi
  • NoSQLi
  • OSi
  • Fuzzing
  • Fuzzing Wide
  • Fuzzing Deep
  1. APISEC
  2. API Testing

Injection Attacks

If an endpoint does not sanitize or validate user input then the right payload could cause a verbose response, a delay in processing time, an internal server error, or an error with the database. We should attempt fuzzing against all potential inputs and especially within the following:

  • Headers

  • Query string parameters

  • Parameters in POST/PUT requests

Start by casting a wide net across an entire API and then narrow in the focus of your attack. When reviewing API documentation, if the API is expecting a certain type of input (number, string, boolean value) send:

  • A very large number

  • A very large string

  • A negative number

  • A string (instead of a number or boolean value)

  • Random characters

  • Boolean values

  • Meta characters

By sending over this input we are testing the limits of the target's input validation. If a certain type of input causes a verbose error or causes a delayed response then you could be on the trail of an injection vulnerability.

Injection Types

SQLi

When looking for requests to target for database injections, seek out those that allow client input and can be expected to interact with a database. Here are some SQL metacharacters that can cause some issues.

'
''
;%00
--
-- -
""
;
' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
' OR '' = '
OR 1=1

NoSQLi

APIs commonly use NoSQL databases due to how well they scale with the architecture designs common among APIs. NoSQL is an umbrella term that means the database does not use SQL. Therefore, these databases have unique structures, modes of querying, vulnerabilities, and exploits. The following are common NoSQL metacharacters you could send in an API request to manipulate the database.

$gt 
{"$gt":""}
{"$gt":-1}
$ne
{"$ne":""}
{"$ne":-1}
 $nin
{"$nin":1}
{"$nin":[1]}
{"$where":  "sleep(1000)"}

OSi

Operating system command injection is similar to the other injection attacks we’ve covered in this chapter, but instead of, say, database queries, you’ll inject a command separator and operating system commands. Characters such as the following all act as command separators, which enable a program to pair multiple commands together on a single line.

|
||
&
&&
'
"
;
'"

If you don’t know a target’s underlying operating system, we can use two payload positions: one for the command separator followed by a second for the operating system command.

Fuzzing

Fuzzing Wide

  1. Duplicate the entire collection.

  2. Select the requests to fuzz with the Collection Runner.

  3. Use the 200 test to develop a baseline of expected responses.

Then, we can create a fuzzing environment, define fuzzing variables, and set this variables on the requests' injection points.

Compare and investigate the different results.

Update the variable and test for the next variable.

Response Code
Baseline
Fuzz
Fuzz1

200

3

1

1

500

3

4

4

404

3

3

2

403

1

1

0

400

0

1

3

Fuzzing Deep

Once we find interesting requests, we can forward & analyze them with Burp.

We can also fuzz the endpoint using CLI tools.

$ wfuzz -z file,usr/share/wordlists/nosqli  -H "Authorization: Bearer TOKEN" -H "Content-Type: application/json" -d "{\"coupon_code\":FUZZ} http://crapi.apisec.ai/community/api/v2/coupon/validate-coupon --sc 200
PreviousSSRFNextEvasion & Chaining

Last updated 11 months ago

Duplicating the collection & selecting the target requests.
Creating a fuzzing enviroment & setting the variables into the requests' injection points.
Attacking the endpoint with Intruder.
Exporting the request from Burp.