Even if fundamental security risks such as cross-site scripting (XSS) or SQL injections are mitigated during application development, web applications and interfaces are susceptible to vulnerabilities.
In Java aktuell 01/2020, Senior Penetration Tester & Security Consultant Frank Ully writes about lesser known types of vulnerabilties in web applications and APIs (PDF; in German).