Writing sourcecode for applications, APIs, websites and programs should always happen with the upmost attention to security: hackers can use all kinds of scripting practises to deploy malicious code, steal user-information, cookies, redirect to malicious websources etc. Some examples of vulnerabilities are the use of third-party includes, insufficient user-input validation, lack of security-headers like Content-Type and X-Content-Type-Options, no Content Securicy Policy (CSP), unneccesary use of Globals, overcomplicated designs, no data-encryption etc.
There are some essential "to-do's" like educating yourself on a constant level and the usage of code-scanners and well-known libraries and includes
SSI / Server-side injections (dynamic injection)
As with lots of vulnerabilities, input sanitization and validation should help against these types of attacks.
Session hijacking, session disruption, session fixation
These types of attacks typically target a users' authenticated (logged-in) session to get access to files and traffic. Session hijacking and session disruption happen after the user logged-in to the application or network / website and session fixation uses the session-identifier to direct the user to an explicit session of which the attacker is already the owner. Depending on the motive of the attacker, anything can happen during a session-take-over.