When doing web app security analysis/audit, people often refer to OWASP, the Open Web Security Project.
Below is a short summary of top 10 vulnerabilities for web app in 2013.
A1 – Injection: SQL/NoSQL injection, OS commands, Xpath, etc
A2 – Broken Authentication and Session Management: authentication design flaws
A3 – Cross-Site Scripting (XSS): data sent to server not validated/escaped
A4 – Insecure Direct Object References: authorization design flaws
A5 – Security Misconfiguration: system level configuration flaws, like exposure of internal web services
A6 – Sensitive Data Exposure: lack or weak encryption of important data like password
A7 – Missing Function Level Access Control: like URL route not secured, easy to guess different passing of parameters
A8 – Cross-Site Request Forgery (CSRF): Attacker creates forged HTTP requests and tricks a victim into submitting them via image tags or XSS
A9 – Using Known Vulnerable Components: using third-party libraries can be dangerous
A10 – Unvalidated Redirects and Forwards: unchecked redirects
IBM has a site to demo for the details, and marketing of their product, IBM Security AppScan.