© 2024 Prancer Enterprise
OWASP top 10 API Security Vulnerabilities – Injection
April 12, 2023
OWASP API Security Injection


Injection refers to the risk of attackers injecting malicious code or commands into APIs, which can allow them to exploit vulnerabilities or manipulate data in unintended ways. This can occur when APIs do not properly validate or sanitize user input, or when APIs do not properly handle external data sources or systems.


Some common risks associated with Injection include:

  • Compromise of user accounts or data
  • Unauthorized access to sensitive data or functionality
  • Reputational damage for the organization due to data breaches or service disruptions
Attack Scenarios

Attack scenarios for cloud applications may include:

  • An attacker intercepts an API call and injects malicious code or commands into the request
  • An attacker exploits a vulnerability in the API to inject malicious code or commands into the response
  • An attacker uses an API to send malicious input in an attempt to exploit vulnerabilities or inject malicious code
Vulnerable Sample Code

A vulnerable sample of code in Go lang might look like this:

func getData(w http.ResponseWriter, r *http.Request) {
  // Get the search term from the request
  searchTerm := r.URL.Query().Get("term")

  // Retrieve the data from the database
  data, err := database.SearchData(searchTerm)
  if err != nil {
    http.Error(w, "Error searching data", http.StatusInternalServerError)

  // Return the data to the user

In this example, the API call allows users to search for data in a database based on a search term passed in the request. However, the API does not properly validate or sanitize the search term, allowing an attacker to inject malicious code or commands into the request. For example, an attacker could send a request with a search term such as “; DROP TABLE users;” which could potentially delete the entire users table in the database.

Sample Attack

A sample attack payload using the curl command might look like this:

curl http://api.example.com/getdata?term=%22%3B%20DROP%20TABLE%20users%3B%22

In this example, the attacker is using curl to send a request to the API with a malicious search term that includes a command to drop the users table in the database. If the API is vulnerable to Injection, the attacker may be able to execute the command and delete the table.

MITRE ATT&CK framework reference

Injection can be mapped to the Tactic: Execution and the Techniques: Command-Line Interface, Remote Command Execution in the MITRE ATT&CK framework. These techniques involve injecting malicious code or commands into systems or applications to execute them.


To mitigate the risk of Injection, organizations should ensure that they properly validate and sanitize user input and external data sources in their APIs. This may include implementing proper input validation and filtering, as well as regularly reviewing and testing the security of their API implementations. Organizations should also ensure that they have proper logging and monitoring in place to detect and respond to potential injection attacks.


Download API Security whitepaper

Our in-depth whitepaper provides valuable insights into how Prancer Security’s cutting-edge solution mitigates critical risks such as unauthorized access and data breaches, while adhering to the highest security standards.

Don’t leave your API security to chance – download our comprehensive whitepaper now and discover how Prancer Security can safeguard your organization from potential threats!