exploiting-api-injection-vulnerabilities
Installation
SKILL.md
Exploiting API Injection Vulnerabilities
When to Use
- Testing API endpoints that accept user input for database queries, system commands, or external requests
- Assessing APIs that interact with SQL databases, NoSQL stores (MongoDB, Redis), LDAP directories, or external URLs
- Evaluating input validation and parameterized query usage across all API endpoints
- Testing for SSRF where API parameters accept URLs or hostnames that trigger server-side requests
- Identifying injection points in headers, path parameters, query strings, and JSON/XML request bodies
Do not use without written authorization. Injection testing can modify or destroy data and compromise backend systems.
Prerequisites
- Written authorization specifying target API and backend systems in scope
- Python 3.10+ with
requestslibrary - SQLMap for automated SQL injection detection and exploitation
- Burp Suite Professional with Active Scan capabilities
- Knowledge of the backend database technology (MySQL, PostgreSQL, MongoDB, Redis)
- Isolated test environment to avoid production data corruption