This document discusses several common web security vulnerabilities and attacks: - Session hijacking involves spoofing IP packets to assume the identity of an authenticated user within an active TCP session. - Cross-site scripting (XSS) allows attackers to inject client-side scripts into web pages viewed by other users, including storing malicious scripts that are permanently displayed to users (persistent XSS) or including attacks within a single HTTP response (reflected XSS). - Cross-site request forgery (CSRF) is an attack where an authenticated user is tricked into performing unwanted actions on a web application through a malicious request the user doesn't intend to perform. - SQL injection involves inserting SQL statements into user input