This document summarizes three common web application attacks - eavesdropping, SQL injection, and cross-site scripting (XSS) - and their corresponding countermeasures. It discusses how encrypting communications with SSL prevents eavesdropping, using escaped queries prevents SQL injection, and Rails' automatic escaping prevents XSS attacks. The document also lists some additional security practices from CERT, including input validation, least privilege, and defense in depth.