What characterizes an SQL Injection attack in the context of APIs?

An SQL Injection attack is characterized by manipulating database queries through malicious SQL code. This vulnerability occurs when an attacker is able to insert or "inject" SQL statements into a query that is executed by the database. This can happen if user input is not properly sanitized or validated before it is included in an SQL query.

In the context of APIs, if an API endpoint is not secure and allows user input to directly interact with a database without adequate protections, an attacker can submit specially crafted input that alters the SQL commands executed by the database. This can lead to unauthorized data access, data manipulation, or even deletion of records, making it a significant security risk.

The other options do not accurately describe SQL Injection attacks. Inserting HTML code pertains to Cross-Site Scripting (XSS) vulnerabilities. Sending too many requests to the server refers to Denial of Service (DoS) attacks, which overwhelm server resources. Accessing unauthorized endpoints usually relates to authentication and authorization issues rather than SQL query manipulation. Therefore, the focus on manipulating database queries through malicious SQL code highlights the core of SQL Injection attacks.