HTTP sends data in the clear. For real applications that handle sensitive data, we should use HTTPS

• authenticate server

• encrypt data sent over network via SSL

Session hijacking

• Adversary who discovers session ID can take over a session

• Checking the IP address of each request helps mitigate this threat, but doesn’t eliminate it

SQL injection

• Malicious user enters input that results in execution of an SQL statement other than the intended one

Cross-site scripting

• Malicious user gives input that hides a script in content that others will download