As an example, SQL injection is a type of “hacking” where a website asks you to enter something, let’s say your name, and instead of your name you can add some code instead. When you submit the form it tries to save your name to the database, but because your name is some code it actually ends up running something else on the database. Let’s say your extra code adds you to an administrator group, now you have administrator access to the website.

Another example is a website that does validation on the client side and not server side, you can change the JavaScript code and enable/disable controls you might not have access to. Let’s say you’re on the website above signing up your account and there’s a checkbox for whether you’re an Administrator but it’s grayed out. You can just update the checkbox in your browser to not be grayed out and submit the form with it checked.

Both of these examples are mostly protected against on websites these days but there are thousands of other examples and every website needs to protect against every one of them. As a “hacker” you try each one to see if any are successful against your target. There are tools that can do this checking automatically, but a clever hacker will know what to try and how to try it. Companies have similar tools they use to check if they are secure.