In which type of attack does the attacker send unauthorized commands to a back-end database through a web application?

SQL Injection is a type of attack where an attacker exploits vulnerabilities in a web application by sending unauthorized SQL commands to the back-end database. This typically occurs when an application does not properly validate user input, allowing the attacker to insert or "inject" malicious SQL queries that can manipulate the database.

The significance of this attack lies in its potential to compromise the confidentiality, integrity, and availability of the data stored in the database. With a successful SQL injection attack, an attacker may be able to retrieve sensitive information (such as user credentials), alter existing data, or even delete records from the database.

This type of attack is particularly dangerous because it leverages the trusted relationship between the web application and the database. Since the attacker uses the web application's privileges to execute commands, they can operate with a level of access that they would not typically have if they were directly targeting the database. Proper input validation, prepared statements, and parameterized queries are essential defenses against SQL injection attacks, as they help ensure that user input is treated as data rather than executable code.