On the search results page, you can see the pagination links at the bottom
(the 1 2 3 and so on under the Gooooooogle logo), and you can see that
these links send the same data to the URI and add a start parameter:
1 <a href="/search?hl=en&q=puppies&<strong>start=40</
strong>&sa=N">5</a>You can send parameters to a script with the URI via form fields, links or any
other thing in HTML that contains a URI: images, link elements, frames,
anything that can take an href or src attribute. If an attacker can override
any of these or add a new image to your HTML without you knowing it,
they could point to their own URIs and send their own parameters.
You have to be careful with what your parameters contain and where they
point to, which could be someone else’s server (to get more code) or
sections of your own server that you don’t want to show or send to another
server.
Different Types Of Attacks. What Do These Words
Mean?
Let’s quickly go through the different items mentioned in the graph above,
explaining what they are and what they mean.
SQL Injection
With an SQL injection, an attacker accesses your database by sending an
SQL command to your server via the URI or form fields. This is easily
worked around by sanitizing, but neglecting to do so can be fatal for your
website, as the following XKCD comic shows: