SQL Injection

SQL injection (SQLi) occurs when an attacker can insert malicious SQL code into queries that an application sends to its database. This happens when user input is concatenated directly into SQL statements without proper parameterization or sanitization. Successful SQL injection can lead to unauthorized data access, data modification, authentication bypass, and in some cases, full server compromise.

SQL injection remains one of the most common and dangerous web application vulnerabilities, consistently appearing in the OWASP Top 10. Variants include classic in-band SQLi, blind SQLi (boolean-based and time-based), and out-of-band SQLi that exfiltrates data through alternative channels.

How APVISO tests for this: APVISO's scanner agent uses AI reasoning to identify both classic SQLi patterns and sophisticated blind SQL injection techniques. It generates context-aware payloads based on the observed database technology and tests across all input vectors including headers, cookies, and JSON bodies.