The sinful pattern to watch for is
Sensitive information is read by the web app from a form or URL.
The data is used to make security, trust, or authorization decisions.
The data is provided over an insecure or untrusted channel.