diff --git a/src/pentesting-web/sql-injection/mysql-injection/README.md b/src/pentesting-web/sql-injection/mysql-injection/README.md
index c29eb542a10..5b32f604b49 100644
--- a/src/pentesting-web/sql-injection/mysql-injection/README.md
+++ b/src/pentesting-web/sql-injection/mysql-injection/README.md
@@ -247,6 +247,14 @@ Mitigations:
 Notes:
 - Prepared statements do not protect against semantic abuse of `REGEXP` or search operators. An input like `.*` remains a permissive regex even inside a quoted `REGEXP '.*'`. Use allow-lists or explicit guards.
 
+## Attaching to hidden/internal connections via request tampering
+
+Some BI/LookML platforms hide privileged DB connections in the UI but still honor a client-supplied connection name. If you leak an internal connection identifier (logs/errors/JS):
+
+- Tamper the **create-project / set-connection** request to set `connection`/`connection_name` to that identifier.
+- If the backend skips auth on that parameter, the project binds to the hidden connection (e.g., the platform’s metadata MySQL DB).
+- Then run SQL features (tests/validators/previews) against that DB and use error-based payloads to dump secrets.
+
 ## Error-based exfiltration via `updatexml()`
 
 When the application only returns SQL errors (not raw result sets), you can leak data through MySQL error strings:
@@ -274,4 +282,3 @@ dimension: id {
 - [LookOut: RCE and internal access on Looker (Tenable)](https://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout)
 
 {{#include ../../../banners/hacktricks-training.md}}
-