If your web application exists on the public Internet, someone *will* try to exploit it.
Many of these are un-targeted & scripted, their authors hoping that their target will fall to one of the hundreds of un-patched vulnerabilities in frameworks, blog engines or storefronts. Let's go through some common and uncommon exploits in the wild, starting from their traces in server logs, and see how we can detect them and better protect ourselves.