Exploiting applications through consumable input rather than user input.

People are attacking applications by giving them consumable files like JPG, PNG, WMF, ZIP that are malformed causing exploitation. This is an important shift for 2 reasons:

1) The supply of low hanging fruit for direct user input vulns is growing smaller.

2) It raises awareness of consumables as exploitable input. A skilled developer may know how to sanitize user input, but they typically deal with file input by using some Microsoft or 3rd party library. Now Developers don't know if they can trust those libraries as they used too. This feeling grows worse if the code is closed source and they cannot verify the security for the code.

Exposing backend functionality/Application logic

In the past there has been a full application on the client side which accessed data stored on the server side. Attackers used various techniques to sniffed the traffic and steal this data. Now with technologies like AJAX, Web Services, etc, the application exists on both the client and server sides while transmitting programming logic across the network. APIs used by the application that can access backend systems are now exposed on the server and the client calls them. Attackers are learning they too can directly call these APIs and access applications just like a normal user would. This is a huge escalation because the attacker is now inside your application instead of passively listening.