In this article, I’ll share how I find the SQL injection on a hidden API endpoint. Let’s go Everything stated on this simple website only contains an account activation page. 2. I captured the HTTP request: