SQL injections accounted for about 7% of Web attacks in 2011 and looked to be petering out, according to security services vendor Trustwave. Then last year those exploits jumped to 26% of Web attacks, hitting companies that could have easily protected themselves.

The Trustwave data proves what hackers have known for years: Even though application vulnerabilities are well known and can be fixed or blocked, many companies don't implement secure coding practices or regularly test their applications to find them. Companies that overlook such basic Web security practices have no chance against more advanced attacks, said Chris Pogue, Trustwave's director of incident response and forensics.

Input validation, where user input -- such as a search query -- is limited to simple strings, is an easy way to protect against SQL injection, but developers frequently fail to do that, Pogue said. "It's one of the things that's taught in college, and if it has made it into the university system, then it's not bleeding-edge technology," he said.

The Web presents a variety of security threats for unwary businesses, from well-known SQL injection and cross-site scripting attacks to more esoteric threats posed by Web scraping and HTML5's many features. What follows are 10 Web threats we think are particularly worrisome, either because they're becoming more popular with attackers or because security pros and developers tend to overlook them.