APIs facilitate effortless communication and data exchange between applications and services. However, their inherent design, which codifies service capabilities within the API definition, makes them easily exploitable by malicious actors. API attacks in the US alone are projected to cost $506 billion this decade — and are expected to surge 996% by 2030. And API-related breaches lead to more leaked data than the average security breach, according to Gartner.
APIs face numerous security threats, but one of the most pervasive and damaging is a class of attacks known as injection attacks.
This article delves into various types of injection attacks and explores the crucial role API gateways play in safeguarding against these threats and fortifying your organization’s overall security posture.
Injection attacks are a type of cyber attack where attackers insert malicious code or commands into an application, tricking it into executing unintended actions or accessing data without proper authorization. Injection attacks can cause severe security breaches.
While both application and API injection attacks involve malicious code being inserted into an input to execute unauthorized commands, the key difference lies in the point of entry: an application injection attack targets a user interface within the application, while an API injection attack targets vulnerabilities in the API endpoint itself, often exploiting how the API processes the user input directly.
An API attack refers to any hostile or attempted hostile usage of an API. Attackers exploit vulnerabilities in API endpoints to gain unauthorized access, compromise data, disrupt services, or perform other malicious activities.
During an API injection attack, a malicious actor crafts an API request that includes specially designed, harmful code, exploiting vulnerabilities in how the API processes user input, which then allows the attacker to execute unauthorized commands on the server, potentially accessing sensitive data, manipulating information, or even gaining full system control.
API vulnerabilities are weaknesses or flaws in the design, implementation, or management of an API, making them attractive targets for cybercriminals. The API implementations can lack security checks by neglecting crucial elements like proper input validation, robust authentication mechanisms, authorization controls, rate limiting, and comprehensive logging, which leaves APIs vulnerable to attacks like SQL injection, unauthorized access, data breaches, and denial-of-service attacks, especially when dealing with sensitive data. This can be attributed to the following:
All of these factors create a significant attack surface, making APIs a prime target for cyber attacks.
Injection attacks take advantage of a key weakness in data processing. Due to missing validation or poor sanitization of user-supplied input, attackers can inject malicious code or commands to gain unauthorized access, compromise databases, steal sensitive information, or cause disruption.
The general flow of an injection attack is as follows:
Common types of API injection attacks include:
Attackers have a number of different exploit techniques or methodologies. They often chain techniques together to breach and compromise the system.
An effective API security strategy to defend APIs and counter injection attacks should be multifaceted. It should include both preventative and defensive approaches. Preventative strategies focus on stopping injection vulnerabilities from forming by implementing secure coding practices like:
Defensive strategies involve measures taken to actively prevent, detect, and mitigate injection attacks. These can include things like an API gateway, a web application firewall, and observability
An API gateway is an essential component in the API infrastructure. By acting as an entry point, it helps prevent injection attacks by scrutinizing all API requests before they reach the backend systems.
We're excited to introduce the Injection Protection Plugin in Kong Gateway Enterprise with our 3.9 release. The plugin effectively blocks malicious requests containing harmful code like SQL injection or XSS, thus protecting backends from being compromised.
With the Injection Protection Plugin, Kong Gateway helps secure your APIs against various forms of injection attacks. The plugin is designed to extract content from a request and evaluate it against a list of common injection patterns. If the content matches a pattern, Kong Gateway flags the request as malicious and, by default, blocks it at the gateway, thus protecting the backend systems. The plugin can be configured to extract the content from headers, body, path, and query parameters and inspect it against a list of injection patterns.
The plugin supports the following injections out of the box:
The plugin supports two modes of enforcement. By default, it operates in the block mode, blocking offending requests at the gateway. It can also operate in a monitor-only mode, where offending requests are logged in detail.
Figure 1: Example plugin configuration
For scenarios where the standard out-of-the-box patterns are too restrictive or there is a need for custom pattern matching, the plugin supports defining custom regex patterns. Custom patterns are evaluated in the same way as standard ones, and offending requests are identified and blocked.
Here is an example of a custom pattern that will detect Log4Shell attacks. It looks for the dollar sign '$' and left brace '{', and if found, will log a WARN level message (and block the request if configured to do so).
Figure 2 : Example custom injection
Figure 3 : Plugin payload example with custom injection pattern
A sample request with a Log4Shell injection is shown below:
Kong identifies the offending request and logs the following message into access logs:
Injection attacks pose a significant security risk, accounting for 14.4% of all vulnerabilities across the full stack. APIs are particularly susceptible to these threats, which can be launched through various vectors. To effectively mitigate this risk, organizations must employ a multi-layered approach combining both offensive and defensive strategies. A critical component of this defense is an API gateway that can inspect content and provide robust protection, making it an essential security tool for any organization.
Start with Kong Gateway 3.9 by signing up for Kong Konnect for free. Or, if you want to try Kong Gateway Enterprise 3.9, you can explore the options for getting started here.
To explore the comprehensive list of features, fixes, and updates, please see the available CHANGELOG for Kong Gateway Enterprise here.
As API ecosystems grow more complex, maintaining visibility and security shouldn't be a hurdle. Kong Gateway 3.13 simplifies these challenges with expanded OpenTelemetry support and more flexible orchestration. These new capabilities not only make y
Today we're excited to announce Kong Gateway 3.9! Since unveiling Kong Gateway 3.8 at API Summit 2024 just a few months ago, we’ve been busy making important updates and improvements to Kong Gateway. This release introduces new functionality arou
A quick refresher: Kong Cloud Gateways Kong Cloud Gateways are fully managed, high-performance data planes running on customer-dedicated infrastructure, orchestrated and operated by Kong through Kong Konnect . Customers can choose between: Serverle
As of September 2025, Kong Gateway Enterprise 3.8 will enter its End Of Life (EOL) phase and will no longer be fully supported by Kong. Following this, Kong Gateway Enterprise 3.8 will enter a 12-month sunset support period, focused on helping cus
In today's interconnected web ecosystem, modern applications frequently need to communicate across different domains, making Cross-Origin Resource Sharing (CORS) a fundamental concept for web developers to master. This comprehensive guide explores C
Background In a previous blog post , we discussed the prevalence of bearer tokens (or access tokens) to restrict access to protected resources, the challenges the sheer nature of bearer tokens present, and available mitigations. To recap, presentin