Frequency of attacks on web services and resulting damage continue to grow as web services become popular. Unfortunately, existing signature-based intrusion detection techniques are inadequate in providing reasonable degree of web security. Web attacks are diverse in nature, and typical web architecture consists of complex and hierarchically organized components. Because attack strategies often vary depending on the web contents, it is impossible to develop fixed patterns capturing unknown attacks. Protection mechanisms such as anomaly-based intrusion detection and application-level IDS, tailored to web services, are needed to detect web attacks. The first step in developing web application IDS is to analyze and categorize possible web attacks and vulnerabilities. In this paper, we classify web attacks by analyzing the root causes and the locations where they occur. This research is useful in developing web IDS modules, tracking emerging trends on web attacks, and testing web applications against potential vulnerabilities.