API's with the following properties are open to injection flaws:
I can also draw from experience on this vulnerability type as i have and reported on it often. The form i prefer is SQL injections via the import feature and OS command injection from an unexpected source. Let's start with the SQL injection.
I found this issue while doing bug bounties on a private program and it happend because the developers did sanitise all the direct input very well, except they did not think to include the import functionality because the base of the application was built a year prior to building the import functionality.
Upload.csv looked like this:
name,adress,email,phone
',',','
And while uploading i selected the comma as field seperator, this displayed a SQL error and from there on i dug in deeper.
The error was:
Expects paremeter 1 to be string, null given in /var/www/html/import.php
This made me close the query and start a new one of my own
name,adress,email,phone
';select * from users;--,',','
This made the application dump the entire uses table in an error message, that was enough for me to report this issue and collect my bounty.
The second example i have is a little bit less complicated, i noticed a parameter litteraly called "osParam" which seemed to have some flags in it, i rushed to start up burp suite intruder with a list of command injections i had prepared before and had a hit on the 9th request that burp suite made. The command seperate was a newline character '\n' and my ping command delayed the response.
index.php?osParam=\\nping -c 10 127.0.0.1
So i quickly tried a whoami, reported the result and awaited approval which cames 2 days later.