Common web exploits: SQL injection (auth bypass, data extraction), XSS (session hijacking, credential theft), IDOR (access other users' data), File upload (web shell), Path traversal (read system files), SSRF (internal network access).
IDOR (Insecure Direct Object Reference) = change userId=123 to userId=124 in API request to see another user's data. BOLA in APIs. These are all found in Burp Suite intercept and modify. OWASP Top 10 covers these systematically.