How to Detect SQL Injection in API Traffic
Learn where SQL injection hides in API requests, common detection patterns, and how modern security tools identify SQLi attacks across different parameter types.
SQL injection (SQLi) has been around for decades, yet it consistently appears in breach reports. The reason: APIs create new attack surfaces that traditional detection methods miss.
Understanding where SQLi appears in API traffic (and how to detect it) is essential for any security team.
Where SQL Injection Hides in APIs
Traditional web apps receive SQLi through form fields. APIs offer attackers more options.
Query parameters are the obvious target:
GET /api/products?category=electronics' OR '1'='1Path parameters are often overlooked:
GET /api/users/1; DROP TABLE users--/profileJSON body fields require parsing to inspect:
POST /api/search
{
"query": "laptop",
"filters": {
"price": "100' UNION SELECT * FROM users--"
}
}HTTP headers sometimes feed database queries:
X-Tenant-ID: customer123'; DELETE FROM orders;--Common SQLi Patterns
Detection systems look for specific patterns that indicate injection attempts. These aren’t foolproof (attackers use encoding and obfuscation), but they catch most automated attacks.
Classic injection markers:
' OR '1'='1
" OR "1"="1
1; DROP TABLE
' UNION SELECT
'--
'; --
/* comment */Time-based blind injection:
'; WAITFOR DELAY '0:0:5'--
' AND SLEEP(5)--
'; pg_sleep(5)--Error-based extraction:
' AND 1=CONVERT(int, @@version)--
' AND extractvalue(1, concat(0x7e, version()))--Why Pattern Matching Isn’t Enough
Signature-based detection catches known patterns. Sophisticated attackers bypass it with encoding, case manipulation, and comment insertion.
The same attack, multiple encodings:
%27%20OR%20%271%27%3D%271 (URL encoded)
' oR '1'='1 (case variation)
'/**/OR/**/'1'='1 (comment bypass)Effective detection combines pattern matching with behavioral analysis: Does this parameter normally contain SQL keywords? Is this user sending injection patterns across multiple endpoints? Has this IP attempted similar attacks before?
Detection in Practice
Modern API security analyzes multiple signals:
Lexical analysis: Tokenizing input to identify SQL syntax regardless of encoding. The string %27%20UNION becomes ' UNION before analysis.
Contextual scoring: A single quote in a name field is suspicious. In a code snippet field, it’s normal. Context matters.
Response correlation: Did the request trigger a database error? Did response time increase significantly? Did the response structure change unexpectedly?
Behavioral patterns: Is this source IP systematically testing endpoints? Are requests coming faster than legitimate users operate?
What Detection Outputs Look Like
Useful SQLi alerts include context beyond “injection detected”:
Essential fields: source IP, targeted endpoint, injection location (query/body/header), matched pattern, confidence score, timestamp.
Advanced context: user/session identifier, related requests from same source, whether the injection appeared successful (based on response analysis).
Detect SQL Injection Automatically
Cyron analyzes API traffic in real-time, detecting SQL injection across query parameters, request bodies, and headers. Get alerts with full request context delivered to your SIEM.