Today, the most common web application attacks are exceeding network attacks, due to the fact that web applications have more vulnerabilities and user/client side errors, making them easier to penetrate and access.
Common User Input attacks that have been around forever and are extremely common place. If you install a new wordpress site it will get injection attacks fairly quickly before you harden the website, as an example.
The malicious user can embed commands into a user input request and casuse either retrieval of information from the system or command execution on the host itself.
This can include application specific commands, such as database commands, operatiing system commands and even network commands. Most command injection attacks are tailored to the operating system or application used on the server, but generic commands in URLs can affect a variety of systems in different ways.
These attacks use the SQL language to attack the database., through web application vulnerabilities in a user input field.
LDAP is used to query a directory services like Active Directory. These injections involve embedding LDAP query commands into routine web applications requests and getting data back in response.
This is eXtensible markup language (XML) and is similar to HTML.
This attack sends XML content to a web application taking advantage of any lack of input validation and XML parsing.
Problem with XML is they fit into almost any type of attack. It is very important to harden a web page against XML injections