Reputation: 1677
SQL Injection via Rest API Body
I'm currently checking if my Rest API is vulnerable to an SQL Injection but I'm confused on the process.
My API accepts JSON, then sends the requests to a Mysql database. I've tried sending strings that should lead to SQL injection like ' OR 'x'='x, but rather than being executed they're being sent to the server as strings, which I suppose means they're not a problem.
I'm now doing some more intensive testing with Postman, however if I try to add strings to my parameters such as :
{
"name": "test" OR 1 = 1 -- "
}
Postman will just inform me the JSON syntax is incorrect and even if I do send it, I'll get an "Invalid JSON" response without it even getting to my Rest API.
Is this a good or bad thing? How do I actually go about testing my API?
Upvotes: 1
Views: 6490
Answers (1)
Reputation: 392
Postman right, your JSON is corrupted. You should escape double quotes in field name or value, it is special symbol in JSON.
Your query should looks like:
{
"name": "test\" OR 1 = 1 -- "
}
Read more about special chars in JSON: https://www.json.org/json-en.html
Upvotes: 7
Related Questions
- Prevent SQL injection when SQL is supplied from the request
- How to prevent SQL injection and improve security on REST APIs?
- SQL Injection Method Post
- What SQL injection syntax should I send in payload of rest API to test it properly
- MySQL "INSERT" and SQL injection
- MySQL Injection prevention
- Secure MySQL queries for API
- SQL Injection with Prepared Statements
- SQL Injection Protection
- SQL Injection MySql in php