Cross Site Scripting is the #1 form of attack used in the web world
today. The attack vector usually comes in the form of some sort of
enticement in a forum posting with a bogus link, or a bogus email which
fools the victim into thinking they're doing something to protect
themselves (i.e. changing their online banking password, etc.).

Cross Site Forgery is in the Top 10 but is insidious in that the
victim is the website. This form of attack hijacks valid user
credentials and, unknown to the user, performs actions in their name
which benefit the attacker.

SQL Injection is also in the Top 10. In this form of attack the
cracker exploits vulnerabilities in how the input statements are formed
to gain, first of all, detailed knowledge of a database, and secondly,
the ability to extract sensitive information, or even to corrupt the
database.