• The API Platform for AI.

      Explore More
      Platform Runtimes
      Kong Gateway
      • Kong Cloud Gateways
      • Kong Ingress Controller
      • Kong Operator
      • Kong Gateway Plugins
      Kong AI Gateway
      Kong Event Gateway
      Kong Mesh
      Platform Core Services
      • Gateway Manager
      • Mesh Manager
      • Service Catalog
      Platform Applications
      • Developer Portal
      • API and AI Analytics
      • API Products
      Development Tools
      Kong Insomnia
      • API Design
      • API Testing and Debugging
      Self-Hosted API Management
      Kong Gateway Enterprise
      Kong Open Source Projects
      • Kong Gateway OSS
      • Kuma
      • Kong Insomnia OSS
      • Kong Community
      Get Started
      • Sign Up for Kong Konnect
      • Documentation
    • Featured
      Open Banking SolutionsMobile Application API DevelopmentBuild a Developer PlatformAPI SecurityAPI GovernanceKafka Event StreamingAI GovernanceAPI Productization
      Industry
      Financial ServicesHealthcareHigher EducationInsuranceManufacturingRetailSoftware & TechnologyTransportation
      Use Case
      API Gateway for IstioBuild on KubernetesDecentralized Load BalancingMonolith to MicroservicesObservabilityPower OpenAI ApplicationsService Mesh ConnectivityZero Trust SecuritySee all Solutions
      Demo

      Learn how to innovate faster while maintaining the highest security standards and customer trust

      Register Now
  • Customers
    • Documentation
      Kong KonnectKong GatewayKong MeshKong AI GatewayKong InsomniaPlugin Hub
      Explore
      BlogLearning CentereBooksReportsDemosCase StudiesVideos
      Events
      API SummitWebinarsUser CallsWorkshopsMeetupsSee All Events
      For Developers
      Get StartedCommunityCertificationTraining
    • Company
      About UsWhy Kong?CareersPress RoomInvestorsContact Us
      Partner
      Kong Partner Program
      Security
      Trust and Compliance
      Support
      Enterprise Support PortalProfessional ServicesDocumentation
      Press Release

      Kong Expands with New Headquarters in Downtown San Francisco

      Read More
  • Pricing
  • Login
  • Get a Demo
  • Start for Free
Blog
  • Engineering
  • Enterprise
  • Learning Center
  • Kong News
  • Product Releases
    • API Gateway
    • Service Mesh
    • Insomnia
    • Kubernetes
    • API Security
    • AI Gateway
  • Home
  • Blog
  • Product Releases
  • Protect APIs Against Injection Attacks with Content Inspection
Product Releases
December 20, 2024
6 min read

Protect APIs Against Injection Attacks with Content Inspection

Veena Rajarathna
Staff Product Manager, Kong
Brent Yarger
Software Engineer, Kong
Guilherme Salazar
Software Engineer, Kong

APIs facilitate effortless communication and data exchange between applications and services. However, their inherent design, which codifies service capabilities within the API definition, makes them easily exploitable by malicious actors. API attacks in the US alone are projected to cost $506 billion this decade — and are expected to surge 996% by 2030. And API-related breaches lead to more leaked data than the average security breach, according to Gartner.

APIs face numerous security threats, but one of the most pervasive and damaging is a class of attacks known as injection attacks. 

This article delves into various types of injection attacks and explores the crucial role API gateways play in safeguarding against these threats and fortifying your organization’s overall security posture. 

Injection attacks target more than web apps 

Injection attacks are a type of cyber attack where attackers insert malicious code or commands into an application, tricking it into executing unintended actions or accessing data without proper authorization. Injection attacks can cause severe security breaches.

While both application and API injection attacks involve malicious code being inserted into an input to execute unauthorized commands, the key difference lies in the point of entry: an application injection attack targets a user interface within the application, while an API injection attack targets vulnerabilities in the API endpoint itself, often exploiting how the API processes the user input directly.

Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
OWASP API Security Top 10 2019 Report

Why are APIs vulnerable to attacks? 

An API attack refers to any hostile or attempted hostile usage of an API. Attackers exploit vulnerabilities in API endpoints to gain unauthorized access, compromise data, disrupt services, or perform other malicious activities. 

During an API injection attack, a malicious actor crafts an API request that includes specially designed, harmful code, exploiting vulnerabilities in how the API processes user input, which then allows the attacker to execute unauthorized commands on the server, potentially accessing sensitive data, manipulating information, or even gaining full system control. 

API vulnerabilities are weaknesses or flaws in the design, implementation, or management of an API, making them attractive targets for cybercriminals. The API implementations can lack security checks by neglecting crucial elements like proper input validation, robust authentication mechanisms, authorization controls, rate limiting, and comprehensive logging, which leaves APIs vulnerable to attacks like SQL injection, unauthorized access, data breaches, and denial-of-service attacks, especially when dealing with sensitive data. This can be attributed to the following:

  • Rushed development
  • Inexperienced developers
  • Poor coding practices
  • Lack of security expertise 
  • Improper configuration
  • Not prioritizing security best practices during the design and implementation phases

All of these factors create a significant attack surface, making APIs a prime target for cyber attacks.

Anatomy of an injection attack

Injection attacks take advantage of a key weakness in data processing. Due to missing validation or poor sanitization of user-supplied input, attackers can inject malicious code or commands to gain unauthorized access, compromise databases, steal sensitive information, or cause disruption.

The general flow of an injection attack is as follows:

  1. Identify vulnerable input fields.
  2. Craft malicious inputs by inserting malicious code into API parameters or headers. 
  3. Execute malicious commands. 
  4. Exfiltrate data.

Common types of API injection attacks include: 

  • SQL Injection attacks compromise data integrity and confidentiality. Such attacks involve manipulating SQL queries to obtain or modify data.
  • Cross-Site Scripting (XSS) attacks hijack the session by injecting malicious scripts into pages being viewed by the user.
  • Command Injection attacks allow attackers to execute arbitrary commands and compromise the system.
  • XPATH Injections target applications that store and transfer data using XML. The XML queries are manipulated to access unauthorized data.
  • Code Injection attacks execute malicious code and can install backdoors into the system.

Attackers have a number of different exploit techniques or methodologies. They often chain techniques together to breach and compromise the system.

Defending APIs against injection attacks

An effective API security strategy to defend APIs and counter injection attacks should be multifaceted. It should include both preventative and defensive approaches. Preventative strategies focus on stopping injection vulnerabilities from forming by implementing secure coding practices like:

  • Input validation
  • Parameterized queries
  • Stored procedures for database queries
  • Principle of least privilege

Defensive strategies involve measures taken to actively prevent, detect, and mitigate injection attacks. These can include things like an API gateway, a web application firewall, and observability

The role of the API gateway in securing APIs

An API gateway is an essential component in the API infrastructure. By acting as an entry point, it helps prevent injection attacks by scrutinizing all API requests before they reach the backend systems.   

We're excited to introduce the Injection Protection Plugin in Kong Gateway Enterprise with our 3.9 release. The plugin effectively blocks malicious requests containing harmful code like SQL injection or XSS, thus protecting backends from being compromised.

Kong Injection Protection Plugin

With the Injection Protection Plugin, Kong Gateway helps secure your APIs against various forms of injection attacks. The plugin is designed to extract content from a request and evaluate it against a list of common injection patterns. If the content matches a pattern, Kong Gateway flags the request as malicious and, by default, blocks it at the gateway, thus protecting the backend systems. The plugin can be configured to extract the content from headers, body,  path, and query parameters and inspect it against a list of injection patterns. 

The plugin supports the following injections out of the box:

  • SQL Injection
  • XSS Injection (cross-site scripting)
  • Server-Side Include Injection
  • Java Exception Injection
  • XPath Abbreviated Syntax Injection
  • XPath Expanded Syntax Injection

The plugin supports two modes of enforcement. By default, it operates in the block mode, blocking offending requests at the gateway. It can also operate in a monitor-only mode,  where offending requests are logged in detail.  

Figure 1: Example plugin configuration 

Custom Injections

For scenarios where the standard out-of-the-box patterns are too restrictive or there is a need for custom pattern matching, the plugin supports defining custom regex patterns. Custom patterns are evaluated in the same way as standard ones, and offending requests are identified and blocked.

Here is an example of a custom pattern that will detect Log4Shell attacks. It looks for the dollar sign '$' and left brace '{', and if found, will log a WARN level message (and block the request if configured to do so). 

Figure 2 : Example custom injection 

Figure 3 : Plugin payload example with custom injection pattern

A sample request with a Log4Shell injection is shown below:

Kong identifies the offending request and logs the following message into access logs:

Summary

Injection attacks pose a significant security risk, accounting for 14.4% of all vulnerabilities across the full stack. APIs are particularly susceptible to these threats, which can be launched through various vectors. To effectively mitigate this risk, organizations must employ a multi-layered approach combining both offensive and defensive strategies. A critical component of this defense is an API gateway that can inspect content and provide robust protection, making it an essential security tool for any organization. 

Next steps

Start with Kong Gateway 3.9 by signing up for Kong Konnect for free. Or, if you want to try Kong Gateway Enterprise 3.9, you can explore the options for getting started here. 

To explore the comprehensive list of features, fixes, and updates, please see the available CHANGELOG for Kong Gateway Enterprise here.

Topics:API Security
|
Kong Gateway Enterprise
|
Plugins
Powering the API world

Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

Sign up for Kong newsletter

Platform
Kong KonnectKong GatewayKong AI GatewayKong InsomniaDeveloper PortalGateway ManagerCloud GatewayGet a Demo
Explore More
Open Banking API SolutionsAPI Governance SolutionsIstio API Gateway IntegrationKubernetes API ManagementAPI Gateway: Build vs BuyKong vs PostmanKong vs MuleSoftKong vs Apigee
Documentation
Kong Konnect DocsKong Gateway DocsKong Mesh DocsKong Insomnia DocsKong Plugin Hub
Open Source
Kong GatewayKumaInsomniaKong Community
Company
About KongCustomersCareersPressEventsContactPricing
  • Terms•
  • Privacy•
  • Trust and Compliance
  • © Kong Inc. 2025