Code Room
On-callMediumoc-g603
Subject Security waf sqli spikeLevel Mid–Senior~35 minCommon in Security · Databases & SQL interviewsIndustries Technology, Software development

Question

Your WAF dashboard shows blocked-request volume jumping 50x, almost entirely SQLi-signature matches (UNION SELECT, OR 1=1, sleep-based payloads) against a single endpoint: GET /api/v2/reports?filter=. The requests come from a rotating set of IPs and the payloads grow more sophisticated over the hour, suggesting an automated tool probing for a working injection. A handful of requests returned 500 instead of being blocked. You're on call for the application security rotation. Triage and respond.

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.