Documentation
  • 🍻Intro
    • Why API Security is Critical?
    • Pynt at a Glance
    • Who Should Use Pynt?
  • 👩‍💻API Security Testing
    • Security Testing Overview
    • Prerequisites for Running Pynt Scans
    • How to Install Pynt CLI
    • How to install Pynt Binary (Linux only)
    • Pynt CLI Modes
      • 🔵Pynt Command CLI Mode
      • 🔵Pynt Listen CLI Mode
    • Pynt Security Tests Coverage
      • Business Logic Tests
      • Injection Tests
      • Authentication Bypass Tests
      • Mass Assignment Tests
      • Server-Side Request Forgery Tests
      • Stack Trace In Response
      • Lack of Resources and Rate Limiting
      • File Path Manipulation
      • GraphQL Introspection Vulnerability
      • GraphQL Alias Overloading
      • LLM APIs Vulnerabilities
      • Insecure Transport Scheme
      • Basic Authentication
      • HTTP Desynchronization (Desync) Attack
    • Sensitive Data Exposure Detection
    • Pynt Scans Troubleshooting
      • Pynt CLI Troubleshooting
      • Pynt for Postman Troubleshooting
        • Troubleshoot Pynt Container not Running Error
        • Troubleshoot Empty API Key Error
        • Troubleshoot Unauthorized API Key Error
        • Troubleshoot Collection Not Found Error
        • Troubleshoot Non-Unique Collection Name Error
        • Troubleshoot Empty Collection Identifier Error
        • Troubleshoot Unreachable Target Error
        • Troubleshoot Target Responds with Errors Error
        • Troubleshoot Unresolved Target Domain Error
        • Troubleshoot Unresolved Variable Error
        • Troubleshoot TLS Handshake Fail Error
        • Troubleshoot Few Requests Error
        • Troubleshoot One User Only Error
        • Troubleshoot Failed Assertions Error
    • How To
      • How to Run Business Logic Tests with Pynt
      • How to associate a Pynt scan to an Application in Pynt Dashboard
      • How to tag a scan in Pynt
    • Benchmarks
      • Pynt vs OWASP crAPI
  • 🤲Security Testing Integrations
    • 🟠Pynt with API Testing Tools
      • 🔘Pynt for Postman
        • Fork Pynt Collection
        • Run Pynt Container
        • Run Pynt in Postman
        • View Scan Results in Postman
      • 🔘Pynt for Insomnia
      • 🔘Pynt for ReadyAPI
    • 🟠Pynt with API Testing CLIs
      • 🔘Pynt for Newman (Postman CLI)
      • 🔘Pynt for TestRunner (ReadyAPI CLI)
    • 🟠Pynt with Testing Frameworks
      • 🔘Pynt for .NET (xUnit)
      • 🔘Pynt for Selenium
      • 🔘Pynt for Rest Assured
      • 🔘Pynt for Jest
      • 🔘Pynt for pytest
      • 🔘Pynt for Go
      • 🔘Pynt for JMeter
    • 🟠Pynt on CI/CD
      • ❗How to get Pynt ID for CI/CD Authentication
      • 🔘Pynt for GitHub Actions
      • 🔘Pynt for Azure DevOps Pipelines
      • 🔘Pynt for GitLab
      • 🔘Pynt for Jenkins
    • 🟠Pynt with Burp Suite
    • 🟠Pynt with Browsers
      • 🔘Pynt for Firefox Browser
    • 🟠Live Traffic Connectors
      • 🔘eBPF
        • 🔘Key Components
      • 🔘Traffic Mirroring
    • 🟠Advanced Pynt Examples
      • 🔘Pynt as a Standalone Container
      • 🔘Pynt with Prerecorded Har Files
      • 🔘Pynt with cURL
  • 🈸Applications View
    • Application View Overview
    • Manage Applications
      • Add Application
      • Delete Application
      • Rename Application
    • Manage Sources for API Discovery
      • Add Source
      • Delete Source
      • View Source Info
      • Source Categories
        • API Documentation
          • Swagger
          • Postman Collection
        • API Gateways
          • AWS API Gateway
          • Azure API Gateway
          • Kong API Gateway
          • GCP API Gateway
          • Gravitee API Gateway
        • Testing (API Security Scans)
        • Live Traffic
          • Data Collection with eBPF
          • ALB Traffic Capture with AWS Traffic Mirroring
        • Code Repository
    • Application Dashboard
    • Generate Pentest Report
  • 📚API Catalog
    • API Catalog Overview
    • Navigate API Catalog
      • Filtering API Catalog by Application
      • API Catalog Customization
      • API Related Info
      • APIs at Risk
    • Manage API Source Gaps
      • New APIs
      • Untested APIs
      • Shadow APIs
      • Undocumented APIs
    • View Detailed Endpoint Info
  • ⏪Scan History
    • Scan History Overview
    • Navigate Scan History
      • Associating Scans with Specific Application
      • Filtering by Application
      • Scan Related Info
      • Scan History Customization
    • View Detailed Scan Info
    • Associate Vulnerabilities to Tickets with JIRA
  • Account Management
    • Single Sign-On (SSO)
      • Setting up Okta
      • Setting up Entra ID
Powered by GitBook
On this page
  • What are the common mistakes made by developers?
  • How can I fix Injection issues?
  • SQL Injection
  • NoSQL Injection
  • Template Injection
  • Test cases in this category
  1. API Security Testing
  2. Pynt Security Tests Coverage

Injection Tests

Discover Pynt's documentation on security tests for injections! Learn how Pynt fortifies your APIs against injection vulnerabilities.

PreviousBusiness Logic TestsNextAuthentication Bypass Tests

Last updated 8 months ago

At a Glance: ⚠️ Injection flaws, such as SQL, NoSQL, and Command Injection, occur when untrusted data is sent to an interpreter as part of a command or query. Attackers can exploit these vulnerabilities to execute malicious commands or access unauthorized data. Source:

What are the common mistakes made by developers?

Injection attacks happen when input from an API request is used directly in an operation such as DB query, system call, or a template without validating whether the input includes unwanted characters.

How can I fix Injection issues?

SQL Injection

To prevent SQL injection attacks, consider the following measures:

  1. Use parameterized queries: Parameterized queries allow you to separate the SQL query logic from the user-supplied data. Instead of concatenating user input directly into the SQL statement, you use placeholders in the SQL statement and pass the user input as parameters to the query. This prevents attackers from injecting malicious code into the SQL statement.

Example of parameterized query in Python:

cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password))

  1. Sanitize user input: Even with parameterized queries, it's important to sanitize user input to ensure that it conforms to expected values. This can include validating input format, data type, and length, as well as removing potentially harmful characters.

NoSQL Injection

here's an example of a NoSQL injection vulnerability in a Node.js API that uses MongoDB as the database:

const express = require('express');
const bodyParser = require('body-parser');
const mongodb = require('mongodb');

const app = express();
const mongoClient = mongodb.MongoClient;
const mongoUrl = 'mongodb://localhost:27017/mydb';

app.use(bodyParser.json());

app.post('/login', (req, res) => {
  const username = req.body.username;
  const password = req.body.password;

  mongoClient.connect(mongoUrl, (err, db) => {
    if (err) throw err;

    const users = db.collection('users');
    users.findOne({ username: username, password: password }, (err, user) => {
      if (err) throw err;

      if (user) {
        res.status(200).json({ message: 'Login successful' });
      } else {
        res.status(401).json({ message: 'Invalid username or password' });
      }

      db.close();
    });
  });
});

app.listen(3000, () => {
  console.log('API server started on port 3000');
});

In this example, the POST /login route accepts a JSON request body with a username and password field. The route queries the users collection in MongoDB to find a user with the specified credentials. If a matching user is found, the route returns a 200 OK response with a success message. If no matching user is found, the route returns a 401 Unauthorized response with an error message.

However, this API has a NoSQL injection vulnerability because it does not properly sanitize or validate the user input. An attacker can craft a specially-crafted JSON request body that bypasses the username and password check and allows them to log in as any user in the database.

For example, an attacker can send the following request body:

{
  "username": { "$ne": "" },
  "password": { "$ne": "" }
}

This request body contains MongoDB operators ($ne) that instruct MongoDB to return any user document that has a non-empty username and password field. By doing so, the attacker can bypass the username and password check and log in as any user in the database.

To prevent NoSQL injection vulnerabilities, you should always sanitize and validate user input before using it in database queries.

Command Injection

Here is an example of a command injection vulnerability in a Python Flask API:

import subprocess
from flask import Flask, request

app = Flask(__name__)

@app.route('/ping')
def ping():
    host = request.args.get('host')
    result = subprocess.check_output(['ping', '-c', '1', host])
    return result

if __name__ == '__main__':
    app.run(debug=True)

In this example, the GET /ping route accepts a query parameter host and uses the subprocess.check_output() method to run the ping command on the specified host. However, this API has a command injection vulnerability because it does not properly validate or sanitize the user input. An attacker can craft a specially-crafted query parameter that injects arbitrary commands into the ping command and executes them on the server.

For example, an attacker can send the following request:

GET /ping?host=127.0.0.1; ls -la

This request injects the ls -la command into the ping command and lists the contents of the current directory on the server.

To prevent command injection vulnerabilities, you should always sanitize and validate user input before using it in command-line or shell operations.

Template Injection

Here's an example of how template injection vulnerability can occur in an API:

Let's say you have an API that takes user input to generate a report. The report is generated using a template engine that allows users to inject their own variables into the template.

An attacker could exploit this vulnerability by injecting malicious code into the template engine. For example, suppose the attacker injects the following code into the template:

{{7*'7'}}

If the template engine doesn't properly sanitize the input, it will execute the expression and return the result, which is 49. However, if the attacker injects something more malicious, such as:

{{config.items()}}

This could allow the attacker to access and retrieve sensitive information about the server's configuration.

To prevent template injection vulnerabilities, it's important to always sanitize and validate user input before using it to generate templates. Additionally, it's important to limit the privileges of any code that executes within the context of the template engine to prevent attackers from executing arbitrary code on the server-side.

Test cases in this category

Test case
OWASP
CWE

[INJ001] SQL Injection (Generic)

[INJ002] MS-SQL Injection

[INJ003] MySQL Injection

[INJ004] SQLite Injection

[INJ005] PostgreSQL Injection

[INJ006] NoSQL Injection

[INJ007] Command Injection

[INJ008] Server-side template injection

💡 To learn more about injection flaws and how to prevent them, visit the .

👩‍💻
OWASP
OWASP Injection Flows Page
API8 OWASP API Top 10
CWE-89
API8 OWASP API Top 10
CWE-89
API8 OWASP API Top 10
CWE-89
API8 OWASP API Top 10
CWE-89
API8 OWASP API Top 10
CWE-89
API8 OWASP API Top 10
CWE-943
API8 OWASP API Top 10
CWE-77
API8 OWASP API Top 10
CWE-77