Injection, listed as API8:2019 in the OWASP API Security Top 10, occurs when untrusted or malicious data is sent to an API and executed as part of a command or query, allowing attackers to access or manipulate backend systems. This includes SQL, NoSQL, command, and LDAP injection, often caused by APIs passing input directly into interpreters without proper validation or sanitization. Successful injection attacks can lead to data leaks, unauthorized access, or complete system compromise. To prevent injection, APIs should use parameterized queries, validate all input, and avoid directly embedding user-supplied data in backend commands or queries.
