Any company worth anything will perform a 'penetration test' on any kind of service or application that is internet facing, including websites.
An obvious way to approach this is to run any of the many publicly available hacking scripts against port 80 in anticipation of the webserver, being it Apache or an old dodgy IIS installation, not being fully patched.
However, there is another way to hack websites, which is by looking for flaws in the code that is being served up by the website. These kind of attacks usually involve looking for cross site scripting vulnerabilities.
In short, cross site scripting attacks exploit badly written code that does not validate user input before writing it back to the browser. I could go into much more detail but this XSS Article explains it much better and also describes an actual exploit in a site that was so badly written I find it difficult to believe it is for real.
Fortunately the main environment I develop for, Microsoft's ASP.net, has built-in support for XSS attacks. Just place the following bit of code in a file named test.aspx, point your browser to it and enter <script>alert(document.cookie)</script> in the input box and click the button.
<HTML><BODY>
<FORM METHOD="POST" ACTION="test.aspx">
<INPUT TYPE="TEXT" NAME="TestVar">
<INPUT TYPE="Submit">
</FORM>
</BODY></HTML>
ASP.net pre-validates all code that a user may have manipulated and throws an HTTPRequestValidationException when it finds anything that is potentially harmful.
Pretty cool, even the worst developer, there are many, is now protected.