It baffles me how convoluted and complex the webapp attacks have become over the past few years.

I think this is an effect of bug-bounty hunting, which has pretty much opened the research on those topics to a massive community.