For those of us who haven't a clue what a SQL Injection attack, DDOS or any of the other stuff you posted here about, could you dumb it down to a sailor's level, please.
Structured Query Language is used to work with databases. Some apps connect to databases using SQL. SQL is used to move data back and forth from the server to the user. It is also used to change the design of the database. Most databases have additional functionality to issue instructions on the database server that have nothing directly to do with databases, e.g., email, file transfers, start programs, create batch files, FTP stuff, etc..
Skippers are the the web app code, SQL is the crew, the boat is the app, hackers are your guests' children. Every text box on a web form is a "Thru hull" to the inside of a "boat". Usually the thru-hull valves are pretty sturdy. There is a solid base, the opening is made of corrosion resistant material, and the crew check on the status on a regular basis. The thru hull valve may even be protected with a special watertight enclosure. Everything going through the thru hull is controlled and monitored. Some activity through the hull is expected.
The crew know to not damage the thru hulls fittings, but the kids..they see a little flimsy pipe sticking out of the side of the boat and have no control but to see if the handle moves, then how fast can they move it, then they see that when they moved it fast the whole thing moved, then out of no self control, grab the valve back and forth until it breaks clean off. They quickly show the broken piece to the other kids and get really exited about the change they made to the world.
The thru hull is now a gaping opening between the boat and the outside world. The app starts to sink.
The skipper and guest freak out and panic trying to plug the leak. Hopefully, a more robust fitting is added in that same spot later.
For real "search forms" are easy targets. You see a text box where you enter "racing". The app builds out something like select top (10) * from tblPost where 1=1 and comment like '%racing%' and gives you some results.
The hacker's make hundreds of attempts to derail the SQL so that they can void out the search and then submit a new SQL command. Might try... '; exec xp_cmdshell...--
select * from tblPosts where 1=1 and comment like '%racing'; exec xp_cmdshell...-- %'
If it worked then the user might have access to the command line of the database server. The virus scanners are often usually off on those to keep the performance up.
Hackers try all sorts of changes until something different happens. Then they build on that. It used to be web apps would give you all sorts of helpful info like 'Sorry xp_cmdshell is disabled on this server', but most don't do that anymore, they just puke on you, which can also be helpful, the best approach is to poker face errors like nothing happened. Most app designers are really, really, really lazy on security, or have no idea how to set up security groups and have one fake user that pretty much has full admin of the app, app server, are sysadmin on the db and domain admin on db server. Usually used for report server too since it has rights to everything. Crack a simple text box and you have pretty much full control of the IT infrastructure. It's really helpful if there is some inside knowledge of the brands of software used. It's easy enough to look for companies hiring and see what they need for IT help.
