Protect APIs Against Injection Attacks with Content Inspection

APIs facilitate effortless communication and data exchange between applications and services. However, their inherent design, which codifies service capabilities within the API definition, makes them easily exploitable by malicious actors. API attacks in the US alone are projected to cost $506 billion this decade — and are expected to surge 996% by 2030. And API-related breaches lead to more leaked data than the average security breach, according to Gartner.

APIs face numerous security threats, but one of the most pervasive and damaging is a class of attacks known as injection attacks. 

This article delves into various types of injection attacks and explores the crucial role API gateways play in safeguarding against these threats and fortifying your organization’s overall security posture. 

Injection attacks target more than web apps 

Injection attacks are a type of cyber attack where attackers insert malicious code or commands into an application, tricking it into executing unintended actions or accessing data without proper authorization. Injection attacks can cause severe security breaches.

While both application and API injection attacks involve malicious code being inserted into an input to execute unauthorized commands, the key difference lies in the point of entry: an application injection attack targets a user interface within the application, while an API injection attack targets vulnerabilities in the API endpoint itself, often exploiting how the API processes the user input directly.

Why are APIs vulnerable to attacks? 

An API attack refers to any hostile or attempted hostile usage of an API. Attackers exploit vulnerabilities in API endpoints to gain unauthorized access, compromise data, disrupt services, or perform other malicious activities. 

During an API injection attack, a malicious actor crafts an API request that includes specially designed, harmful code, exploiting vulnerabilities in how the API processes user input, which then allows the attacker to execute unauthorized commands on the server, potentially accessing sensitive data, manipulating information, or even gaining full system control. 

API vulnerabilities are weaknesses or flaws in the design, implementation, or management of an API, making them attractive targets for cybercriminals. The API implementations can lack security checks by neglecting crucial elements like proper input validation, robust authentication mechanisms, authorization controls, rate limiting, and comprehensive logging, which leaves APIs vulnerable to attacks like SQL injection, unauthorized access, data breaches, and denial-of-service attacks, especially when dealing with sensitive data. This can be attributed to the following:

• Rushed development
• Inexperienced developers
• Poor coding practices
• Lack of security expertise 
• Improper configuration
• Not prioritizing security best practices during the design and implementation phases

All of these factors create a significant attack surface, making APIs a prime target for cyber attacks.

Anatomy of an injection attack

Injection attacks take advantage of a key weakness in data processing. Due to missing validation or poor sanitization of user-supplied input, attackers can inject malicious code or commands to gain unauthorized access, compromise databases, steal sensitive information, or cause disruption.

The general flow of an injection attack is as follows:

1. Identify vulnerable input fields.
2. Craft malicious inputs by inserting malicious code into API parameters or headers. 
3. Execute malicious commands. 
4. Exfiltrate data.

Common types of API injection attacks include: 

• SQL Injection attacks compromise data integrity and confidentiality. Such attacks involve manipulating SQL queries to obtain or modify data.
• Cross-Site Scripting (XSS) attacks hijack the session by injecting malicious scripts into pages being viewed by the user.
• Command Injection attacks allow attackers to execute arbitrary commands and compromise the system.
• XPATH Injections target applications that store and transfer data using XML. The XML queries are manipulated to access unauthorized data.
• Code Injection attacks execute malicious code and can install backdoors into the system.

Attackers have a number of different exploit techniques or methodologies. They often chain techniques together to breach and compromise the system.

Defending APIs against injection attacks

An effective API security strategy to defend APIs and counter injection attacks should be multifaceted. It should include both preventative and defensive approaches. Preventative strategies focus on stopping injection vulnerabilities from forming by implementing secure coding practices like:

• Input validation
• Parameterized queries
• Stored procedures for database queries
• Principle of least privilege

Defensive strategies involve measures taken to actively prevent, detect, and mitigate injection attacks. These can include things like an API gateway, a web application firewall, and observability

The role of the API gateway in securing APIs

An API gateway is an essential component in the API infrastructure. By acting as an entry point, it helps prevent injection attacks by scrutinizing all API requests before they reach the backend systems.   

We're excited to introduce the Injection Protection Plugin in Kong Gateway Enterprise with our 3.9 release. The plugin effectively blocks malicious requests containing harmful code like SQL injection or XSS, thus protecting backends from being compromised.

Kong Injection Protection Plugin

With the Injection Protection Plugin, Kong Gateway helps secure your APIs against various forms of injection attacks. The plugin is designed to extract content from a request and evaluate it against a list of common injection patterns. If the content matches a pattern, Kong Gateway flags the request as malicious and, by default, blocks it at the gateway, thus protecting the backend systems. The plugin can be configured to extract the content from headers, body,  path, and query parameters and inspect it against a list of injection patterns. 

The plugin supports the following injections out of the box:

• SQL Injection
• XSS Injection (cross-site scripting)
• Server-Side Include Injection
• Java Exception Injection
• XPath Abbreviated Syntax Injection
• XPath Expanded Syntax Injection

The plugin supports two modes of enforcement. By default, it operates in the block mode, blocking offending requests at the gateway. It can also operate in a monitor-only mode,  where offending requests are logged in detail.  

Figure 1: Example plugin configuration 

Custom Injections

For scenarios where the standard out-of-the-box patterns are too restrictive or there is a need for custom pattern matching, the plugin supports defining custom regex patterns. Custom patterns are evaluated in the same way as standard ones, and offending requests are identified and blocked.

Here is an example of a custom pattern that will detect Log4Shell attacks. It looks for the dollar sign '$' and left brace '{', and if found, will log a WARN level message (and block the request if configured to do so). 

Figure 2 : Example custom injection 

Figure 3 : Plugin payload example with custom injection pattern

A sample request with a Log4Shell injection is shown below:

Kong identifies the offending request and logs the following message into access logs:

Summary

Injection attacks pose a significant security risk, accounting for 14.4% of all vulnerabilities across the full stack. APIs are particularly susceptible to these threats, which can be launched through various vectors. To effectively mitigate this risk, organizations must employ a multi-layered approach combining both offensive and defensive strategies. A critical component of this defense is an API gateway that can inspect content and provide robust protection, making it an essential security tool for any organization. 

Next steps

Start with Kong Gateway 3.9 by signing up for Kong Konnect for free. Or, if you want to try Kong Gateway Enterprise 3.9, you can explore the options for getting started here. 

To explore the comprehensive list of features, fixes, and updates, please see the available CHANGELOG for Kong Gateway Enterprise here.