Application Security and Vulnerability Analysis

• OWASP AppSec FAQ, OWASP Testing Guide
• Edward Z. Yang - Intro to Web Application Security, MIT IAP 2009
• A Study in Scarlet - Exploiting Common Vulnerabilities in PHP Applications, Shaun Clowes

SQL Injection

• SQL Injection Cheatsheet, Oracle SQL Injection Cheatsheet - Ferruh Mavituna
• Advanced SQL Injection - Chris Anley

Session Management and Authentication

• Do's and Dont's of Client Authentication on the Web
• Robust Defenses to Cross-Site Request Forgery
• Secure Session Management with Cookies for Web Applications

Crypto

• Chris Eng - Cryptography for Penetration Testers (slides)
• Nate Lawson - When Crypto Attacks
• Beware of Finer-Grained Origins

XSS

• Cross Application Scripting and URI Exploitation
• Metasploit's XSS Framework and the Browser Exploitation Framework (BeEF)

HTTP Headers

• Content Security Policy
• Strict Transport Security
• X-Frame-Options
• Do Not Track

Other

• Exposing Private Information by Timing Web Applications
• Neat injection flaws in JSF, Spring, JBoss, Struts with exploit code.