Broken Authentication and Session Management
You can see the session id PHPSESSIONID in the cookies of one browser and copy paste it inside the cookies of another one.
Insecure Direct Object References
Visit news with ID 3 (Page 3).
Cross-Site Request Forgery (CSRF)
Visit the following link and you will send a message: example
Security Misconfiguration (no example here)
Insecure Cryptographic Storage (see the SQL injection example)
Failure to Restrict URL Access (see Insecure Direct Object References)
Insufficient Transport Layer Protection (depends on where do you install your application)