Skip to content

Configurable Injection Analyzer

Configuration Name: ConfigurableInjection


The ConfigurableInjection analyzer sends user-specified strings as values of input parameters of an API operation. This analyzer only sends the attack vectors to non-header input parameters. This enables users of Sift to configure specific attack vectors in an analysis run.

Configuration Parameters

The ConfigurableInjection analyzer requires configuration of one or more attack rules comprised of a set of attack strings and an associated severity.

  • attacks: list of attack rules

Each attack rule in the attacks list is an object with three fields:

  • name: Name of a rule used to identify any faults reported by the analyzer.
  • file: Path of a file on the local filesystem that contains attack strings.
  • injectionStrings: List of attack strings given in the configuration directly.
  • severity: Severity to be reported in a finding if the rule fails. One of "high", "medium", or "low".

If specified, the value of file must be a filename that contains a list of attack strings, one per line.


If both file and injectionStrings are given, then the list of attack vectors is the combined list of strings found in both.

Faults Reported

The name and severity configuration fields of an attack rule are used when reporting a finding for a detected fault. The name parameter will be included in the title of the fault. The severity field will assign the severity the fault.

Fault Identifier Title Summary Solution Severity
SIF-100 User Injection - {name} A user-specified string was used as an attack vector for an API operation that reads or updates a resource using a string identifier in the request. API implementation should properly sanitize inputs. API should respond with a client error for an invalid identifier. {severity} as configured