Security

• Dec 19, 2023
• Security

SQL Injection

SQL injection occurs when SQL code can be injected into API input. In this injection attack, valid input has SQL commands concatened with SQL execution commands. When the SQL code is executed, the commands are run. In this process data can be mutated and returned to the attacker.

Mitigation Tips:

• Use prepared statements instead of concatenated SQL statements. This seperates inputs from the command.
• Restrict the user account that the SQL command is executed with to only allowable actions.
• Always sanitize input on the server.
• Never trust the client input to have sanitized input, it can be exploited by an attacker.
• Use mature libraries for data sanitization, there are too many variants to look for to write custom sanitation code.

• Dec 18, 2023
• Security

API Security

Always remember the CIA triad when securing API’s:

• C: Confidentiality - Only intended audience can access information.
• I: Integrity - Prevent unathorized mutation of data.
• A: Availability - API can be reached by legitimate users.

Common API Threats: STRIDE

• S: Spoofing - pretending to be someone else
• T: Tampering - altering data
• R: Repudiation - denying authorship
• I: Information disclosure - revelaing private information
• D: Denial of Service - preventing access
• E: Elevation of Privilige - gaining access to unauthorized information