Application programming interfaces (APIs) - the connecting links between services, applications and data, have become essential for enterprise developers as they allow programmers to easily integrate and reuse different external software components instead of having to develop those components themselves.
SQL Injection Isn't Going Anywhere
SQL injections might sound like a thing of the past, but in actuality it is still one of the most widely used methods of attack directed towards web applications around the world. As stated in the Akamai Media Under Assault report a staggering 69.7% of all web application attacks between January 2018 and June 2019 were SQL injections. That is a LOT considering that it was supposedly first discovered by a man by the name of Jeff "Rain Forrest Puppy" Forristal back in 1998. Yes... '98.
Blind SQL Injection
Blind SQL injection is similar to normal SQL injection, except that the HTTP responses will not contain the results of the relevant SQL query and a generic error page is shown instead. Only one bit of information (true/false) can be extracted per request -- but that is all it takes.
Meteor Blind NoSQL Injection
I recently came across a Meteor application, which had a publicly callable method 'users.count' that would return the count of users registered in the app. While this may not be significant from a threat assessment perspective, I decided to give it another look and dig a bit deeper.