Input Validation and Injection Testing

1 min read Security Testing & Tools

Input Validation and Injection Testing

API injection testing extends beyond traditional SQL injection to include NoSQL injection, LDAP injection, and command injection specific to API backends. JSON-based APIs might be vulnerable to NoSQL injection when using MongoDB or similar databases. Test with payloads like {"$ne": null} or {"$gt": ""} in search parameters. XML APIs require testing for XXE (XML External Entity) attacks by injecting DOCTYPE declarations with external entity references.

// NoSQL Injection Test Payloads
{
  "username": {"$ne": null},
  "password": {"$ne": null}
}

{
  "query": {"$where": "this.password == 'test'"}
}

// JSON Injection
{
  "name": "test\",\"admin\":true,\"name\":\"test"
}

Server-Side Request Forgery (SSRF) in APIs often occurs through URL parameters or webhook configurations. Test by injecting internal URLs or cloud metadata endpoints. Modern APIs integrating with cloud services are particularly susceptible to SSRF attacks targeting instance metadata services. ZAP's active scanner includes SSRF detection, but manual testing with collaborator services often proves more effective.