One of the commonest forms of locating vulnerabilities is port-scanning; this is a process in which hackers send packets of information to server ports to see which ones are open and therefore available to exploit. 

Once a potential target has been found, there are a multitude of cyber crimes open to the hacker, some of the more popular attacks are:

Directory Browsing - The ability to retrieve complete directory listings within directories on the web server. Usually occurs as a result of sloppy server configuration.

Reverse Proxying  - Gaining access to back-end application servers by proxying HTTP requests from the external Internet to internal networks via front-end severs. Again, can result from sloppy proxy server configuration.

Source Code Disclosure - This is the ability to retrieve the source code from application files or the application itself in order to find further loopholes or information such as usernames and passwords.  Once again this can be traced to poor server configuration or poor application design.

Session Hijacking -  Many forms use 'hidden' fields to store session data, once this data has been acquired by the hacker, users data can be obtained. Session hijacking occurs when there are little or no preventative measures such as server side session id tracking or cryptographic session id creation.

As you can see from the examples above, many hack attacks are caused simply by misconfiguring your web server or web applications.  So what preventative measures can you take? Obviously, no site is 100% safe; given enough time and the right software, any site can be penetrated. Realistically though, there are many ways security can be implemented in order to drastically reduce the risks.