Issue link: https://axway.uberflip.com/i/991646
04 | The Curious Case of Injection INJECTION CONTEXT Injection is one of the most prevalent high-impact attack vectors. Injection vectors like SQL injection lead directly to most data breaches and serious security failures. APIs are the gateway to the enterprise core, and they oen let attacks slip right through their grasp. That is because the target of the injection attack is the back-end database (as in SQL injection) or a directory service (as in LDAP injection) or an ERP system or even an HVAC system. The attackers can leverage those resources directly and/or use them as launch pads to further attacks. VULNERABILITIES IDENTIFICATION & TRACKING The root problem is a result of the mixture of the control plane and the data plane. The results here are many, but the two most well-known are SQL injection and cross-site scripting. The security architect must traverse the system to gather sources and sinks (where they are used and written). For the inputs of the system, trace them to their sinks and examine how they are handled. Is the data user controllable? Is it validated in the system? For output data written back to the API caller, what is the source of that data? How is that data encoded? COUNTERMEASURE(S) Safe input/output handling is the key countermeasure. For input handling, this is generally a mix of: • Data sanitization and escaping that removes or overwrites control characters • Input validation that examines a known good and/or known bad list of words, characters and data types and blocks access based on regular expression failures For output handling, the system must encode the data in a way that prevents user-controllable from being propagated through the system in an executable format. This means encoding output data as JSON, HTML or other format, depending on how the client is set up to consume it. ASSURANCE This is an area where the security industry is particularly rich with testing tools. SQLMap is a powerful tool for testing your system for SQL injection 5 . Fuzzing tools like Burp Suite 6 can be instrumented with data from FuzzDB and other sources to identify SQL injection, cross-site scripting and other input/output-handling vulnerabilities.