Secure your code, from the start.

Coders Conquer Security OWASP Top 10 API Series - Injection (SQL/NoSQL/OS Command Injection)

10th December 2020

Code injection attacks are some of the most common methods that hackers use to break into or manipulate systems. Historically, they go back almost as far as coding itself. Injection vulnerabilities can be found in almost any framework. They are often exploited in SQL, LDAP, NoSQL, OS commands, XML parsers and object-relational mapping.

In fact, almost any API is vulnerable to an injection attack if it accepts client-supplied input without first putting it through a verification or sanitization process. Attackers will simply feed the API with malicious code and requests through whatever injection vectors are available to see if it is sent to an interpreter. Once the exploitability of the API is verified, there is little stopping an attacker from performing unauthorized actions or even fully taking over an API, program, system or network.

If you’ve already got a handle on API injection vulnerabilities, try your hand at our gamified challenge:

Still need to learn more? Let's dive deeper:

How do attackers exploit code injection vulnerabilities?

It’s actually relatively easy for even a moderately skilled programmer to take advantage of the code injection vulnerability. Let’s look at a typical login process where a user enters their name and password. Once they have done that, the parameters can be appended to a database query string that is submitted directly to the database. It would look something like this:

SELECT * FROM Users WHERE
Username = JohnnyB AND
Password = Green33Reptile!

It seems simple enough, and if user JohnnyB has entered the correct password, they will be allowed to access their account. The problem occurs if the parameters are submitted directly to the database. In that case, a malicious user can add SQL code to the tail end of their query which may be interpreted and run as an SQL query.

On that same system, an attacker using code injection could enter the following when asked for their name and password, typing directly into the login and password fields.

SELECT * FROM Users WHERE
Username = ‘admin’ AND
Password = ‘123’ OR 1 = 1;

By adding the “OR 1 = 1” line of code directly to the password field, the attacker is forcing the interpreter to consider everything entered on that line to be true, whether or not the password actually matches or not. Worse yet, in this case it means that they will take over the administrator account on that system. Anything the admin can do is now also possible for the attacker.

Eliminating the Injection (SQL/NoSQL/OS Command Injection)

It would be nice if frameworks could differentiate user input from normal code and simply ignore injection attempts. Unfortunately, coders will need to do that themselves. The good news is that it’s not too difficult, and generally only needs doing at locations where users are allowed to input data, or data is coming in from an untrusted or outside source.

Any time a user is allowed to input data, whether it’s a login screen or a search window, the input coming from that vector must be validated, filtered, and sanitized. This includes any data that is coming from outside systems or even other APIs. And don’t forget GET and POST parameters, cookies and HTTP headers either.

Part of the filtering process should be escaping special characters like the apostrophe, asterisk or equals sign which are all used to form arguments in code. Removing those special characters from queries will severely restrict a hacker’s ability to send in code statements. If possible, you could also use parameterized queries which restrict what kind of information a user can enter, or forces them to make a choice of approved inputs.

Finally, it’s a good idea to define data types and strict patterns that are valid for all string parameters. Allowlist acceptable strings, and block everything else. By doing all of this, you can deny attackers the freedom they need to send nefarious code to your APIs through user input fields, and keep injection attacks from succeeding.

Check out the Secure Code Warrior blog pages for more insight about this vulnerability and how to protect your organization and customers from the ravages of other security flaws. You can also try a demo of the Secure Code Warrior training platform to keep all your cybersecurity skills honed and up-to-date.

Matias is the co-founder and CTO of Secure Code Warrior. He has over a decade of hands-on software security experience, holding a Ph.D. in computer engineering from Ghent University.

View Comments