Below listed are the most common security threats imposed on web applications.
SQL Injection
It's the most common and preferred attack done by attackers to manipulate or corrupt the data of data-centric applications using SQL based database systems. The attacker finds the vulnerability and uses it to read, update or delete the data. The developer must accept all the web request parameters sent by the client using parameterized queries instead of passing the parameter directly which might have an SQL query.
Cross Site Scripting(XSS)
The XSS attack can be made by injecting client-side scripts either to deface the application by showing fake messages or redirect users to different URL or steal valuable information by silently collecting the form data. These malicious scripts might alter the content of the trusted site and show false or fake content to defame the reputed sites.
Denial of Service Attacks
As the title says, the primary goal of an attacker is to consume the server resources by flooding the network resulting in application slowdown or complete shutdown. This results in application failure to legitimate users. The Network Admin must install appropriate packages to block such attacks by limiting the resource consumptions by a particular source of an attack.
Cross-Site Request Forgery(CSRF)
This type of attack either force or trick the users to perform unusual actions. The attacker won't get or steal any data in this type of attack, rather manipulate the application on the client side to trick the user to perform unauthorized activities.
Session hijacking
Session hijacking also knows as Cookie hijacking modifies the cookie to gain unauthorized access to information or resources. It's a kind of exploitation of valid sessions where session token gets compromised allowing unauthorized access to web server.
Parameter Tampering
In this kind of attack, the attacker somehow changes the URL parameters or form field data without the user's authorization, resulting in unusual behavior of the web application. The developer must validate all the URL parameters and form fields to ensure that the validation passes before performing any action on the server side. The best way to prevent such an attack is to accept only the parameters required to process the request.
Code Injection
It involves injecting scripts on the server side by unauthorized means to install backdoors, exploit server resources, steal valuable information.
The preferred attack is to find out unprotected directories especially uploads location to upload the scripts and then execute the same to exploit server resources, install malicious code, malware and backdoors. Mail servers to trigger marketing emails is one of the activities done by such scripts resulting in blacklisting the server.