1) The document discusses common web application vulnerabilities like SQL injection and cross-site scripting. It demonstrates how these vulnerabilities can be exploited in PHP and Ruby on Rails applications. 2) While Ruby on Rails has security features built-in, the speaker argues these do not eliminate security risks and that all developers must take responsibility for security. 3) Popular tools like BeEF, SQLmap, and Burp Suite are demonstrated for exploiting vulnerabilities like cross-site scripting and stealing cookie sessions. The key message is that no framework can replace secure coding practices.