API Injection

The more you know about the API, the better your attacks will be. If you know what database the application uses, what operating system is running on the web server, or the programming language in which the app was written, you’ll be able to submit targeted payloads aimed at detecting vulnerabilities in those particular technologies.

After sending your fuzzing requests, hunt for responses that contain a verbose error message or some other failure to properly handle the request. In particular, look for any indication that your payload bypassed security controls and was interpreted as a command, either at the operat- ing system, programming, or database level.

This response could be as obvious as a message such as “SQL Syntax Error” or something as subtle as taking a little more time to process a request. You could even get lucky and receive an entire verbose error dump that can provide you with plenty of details about the host.

When you do come across a vulnerability, make sure to test every simi- lar endpoint for that vulnerability. Chances are, if you find a weakness in the /file/upload endpoint, all endpoints with an upload feature, such as /image/upload and /account/upload, have the same problem.