Actually always wanted to write such an article but the total there is low end in each God's eyes, perhaps into the not discernment but still decided to write out own of these experience
In fact, a lot of sites the existence of vulnerabilities of the reasons there are a variety of, I can only by my search for vulnerabilities experience to give you a superficial saying.
In my understanding of all of the sites are so a 4-layer structure:
The figure above is what I said four-layer structure, this four-layer structure is actually very superficial, when we from the page presentation layer submits a parameter, and then through the business logic layer processed to form the corresponding method of transfer the dig data operating Layer, and then through a data manipulation layer to operate the database, many of the vulnerabilities of the generation principle are on this level, for example, we web used login functionality, the user account and password enter the account password box, and then click Submit, this will generate a form, this form will by post or get form submission to the business logic layer is processing the code inside the business logic layer inside the method to this form for verification and a series of judgment(generally the anti-injection code will be written in this place, the judgment you pass over the whether the parameter violation), the judge is completed only after will put this form relates to the parameters by some method submitted to the data operation Layer, and then the results returned back. So most of the website generating the vulnerability of the reason is again the business logic layer of the code above, so the hard lot of the script kiddies in for some cms will by download stencil source code for a series of white-box testing obtained after the so-called 0day the.
In fact, these things are simply some of the principle problems, so there is nothing to pay attention to the place, just wanted to give everyone the popularity of some personal understanding of it!!!!