I already build a large scale financial web application using spring stack(spring mvc (jquery) + ioc +jpa+ jboss7) .

It is not restful app. Now we want to perform security testing (penetration testing).

But i have no idea that what are the  common security attack .

which are most common for web application ?

what kind of browser level security issue for web application ?

we already implemented following requirements :

1. Role based Access control ,session management

2. Password encryption

any one please give me some idea , which security requirements need to adapt in our application.