Some web applications use SSL to protect the application's authentication page,because this prevents the user's password from traveling in the clear and thus protects the password from eavesdropping attacks, but then they don't use SSL to encrypt the rest of the application's traffic. This largely renders the password orrelevant, however,because the attacker can still snoop on the unencrypted traffic in order to steal the session ID and impersonate the user that way. If you're going to use SSL at all,you really want to use it for your whole application. Resource : Web Application Security, A beginners Guide , By : Bryan Sullivan & Vincent Liu
SQL Injection , XSS , CRSF , Security misconfiguration and CSSLP