SQL Injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.
This is a method to attack web applications that has a data repository or a database backend.
The attacker would send specially crafted SQL statements that is designed to cause some malicious action.
Common attack surface
Many web applications take user input from a form. It is often the case where there is limited error handling performed on these logon pages. Another common error is to not have server side input validation but only client side validation.
A SQL Injection attack tries to force the application to accept and execute SQL statements.
According to the Akamai State of the internet report, SQL injection is one of the top attack vectors observed online:
URL injection is the act of altering a URL or URI in an attempt to gain access to data the user was not intended to access. URL injection is often used to perform directory Traversal attacks or even SQL injection. Web API’s have greatly increased the attack surface of URL injections since they allow the browser to request process and data assets through an easily accessible medium.