happens when user provided data is poorly or not validated at all. happens when the client is manipulated to send unexpected params to the backend. backend must avoid at all cost to use data in db requests or other operations if needed, data should be filtered and validated on the server side, better yet parametrized, or at the bare minimum, escaped properly
headers and env vars are possible vectors of attack