Known bugs

Taken from projects.nth-dimension.org.uk/rptview:

• SQL injection
• ValidateRequest disabled
• Cookies not marked as secure
• Cookies not marked as HTTPonly
• Open redirect
• Arbitrary file upload
• Logic flaw in scoring
• ACL bypass
• Cross-domain Flash allowed
• Base-64 used for obfuscation
• Passwords stored in plain text
• No logout
• customErrors off
• Web service debug forms accessible
• Web service exposed
• Arbitrary file read
• Cross-site scripting
• Message injection
• Sequential, predictable session IDs
• ID enumeration
• Weak database credentials
• Possible backdoor
• Flash movie leaks credentials
• Credentials in code
• SQL queries created using concatenation
• Insecure random number generator
• Cross-site request forgery
• Passwords shown in plain text
• ViewState not encrypted

In case it's not clear, these are all intentional. Some of them should be obvious from an application assessment, but some will require you to read the code. I started off basing my list from the OWASP top 10, but was inspired by the code I was reviewing at the time.