The job of a software developer is to create useful software: software that performs specific tasks for a specific purpose. However, for software to be secure, the developers must ensure the software they create can perform only those tasks they intended.
Due to the complexity of computers and software, it's extremely difficult for developers to completely restrict their software to only the functionality they intended. The resulting insecure software can be exploited in various ways. Due to the nature of web applications, some vulnerabilities are most common.
Web applications often need to run shell commands to perform tasks such as image and video processing. Proper shell command sanitization can be difficult as developers are often unaware of shell command capabilities that attackers know. The result of a command injection attack can be an attacker executing arbitrary commands on a server.
Languages like PHP are interpreted languages where locations of source code are passed directly to a program called an interpreter. From there, the source code can instruct the interpreter to include source code from other files. Unfortunately, there are often ways for attackers to trick programs written in languages such as PHP into pulling in source code from files the attacker controls.
When applications fail to perform authentication correctly, including login and session management bugs, attackers can gain access to an application as other users or gain privileges they weren't supposed to have.
Though many types of vulnerabilities can be used by attackers to steal data, it's also possible for data to be left exposed. For example, an API may provide more data than a developer intends and some of this data could be sensitive personal information.
Misconfiguration vulnerabilities often result from developers not realizing a system's configuration is dangerous for their particular software. With the large number of environments, frameworks, and libraries modern developers must use, it's common for developers to be surprised by default configurations that create vulnerabilities in their software.
Cross-site scripting (XSS) vulnerabilities are specific to web applications as they involve an attacker controlling the content of a web page that's being viewed in a browser. This attack doesn't directly cause damage on the server where the application runs but rather gives the attacker control over a user's browser when visiting that website. XSS attacks can be used to initiate other attacks and steal data.
Like XSS, cross-site request forgery (CSRF) is a vulnerability that's specific to web applications. CSRF attacks exploit the fact that when a website receives a request from a user's browser, the website assumes the user intended to make that request. If an attacker can cause a user's browser to make requests without the user's knowledge, the attacker can perform actions on behalf of the user at other websites the user is logged into.
With the complexity of modern applications, a huge amount of the code in any application comes from third-party software. When a developer uses third-party plugins and libraries, they are putting their trust in the developers of that software. In situations like WordPress plugins where it's easy for anyone to create and distribute plugins, the variability of code quality and security is extremely high. This is why vulnerable plugins are the most common cause of WordPress compromises.
Just as proper monitoring of application and user behavior can allow developers to know if attacks are being performed or vulnerabilities have been exploited, lack of monitoring enables attack attempts to continue or compromised applications to be further attacked.