I think the biggest mistake is between the chair and the keyboard, but if you disassemble more than “did not notice” and assume that novices are not completely aware of critical errors that can cause serious consequences such as data loss, calling a foreign code, unavailability of service or data theft, the black list is organized as follows:
Invalid data entry validation
Incorrect encoding or lack of processing output data
SQL injection
Cross-site scripting
Unlimited Console Access (OS Injection)
Transmission of personal data on a low-security channel
Cross-site request as a fake internal request
Competition threads using one resource and incorrect closure of its use
Too informative error content
Out of the program pointer beyond the allocated memory
External management of internal variables and file paths
Generated code and its potential injection
Auto update program received code without confirming the source
Dirty initialization - previous initialization data is available.
Mathematics with limited numbers
Unreliable authentication and hard-coded passwords
Using a compromised or cracked cryptography algorithm
Elevated version
Using insufficient random numbers
Validation on the client side but not on the server side