White papers:

• Cross-site scripting:

  • Cross-Site Scripting, by Kevin Spett, www.spidynamics.com/whitepapers/SPIcross-sitescripting.pdf

  • The Cross-Site-Scripting FAQ on CGI Security, www.cgisecurity.com/articles/

• SQL injection all three of these are excellent papers written by some of the sharpest minds in computer security:

  • Web Application Disassembly with ODBC Error Messages, by David Litchfield, www.nextgenss.com/papers/webappdis.doc

  • Advanced SQL Injection in SQL Server Applications, by Chris Anly, http://www.nextgenss.com/papers/advanced_sql_injection.pdf

  • Blind SQL Injection, by Kevin Spett, www.spidynamics.com/support/whitepapers/Blind_SQLInjection.pdf

• Web sites:

  • The Open Web Application Security Project (OWASP), www.owasp.org, hosts an annual conference and local chapters on Web application security. The site offers many excellent papers as well as some tools.

  • CGI Security, www.cgisecurity.com, offers papers, articles, links, and more by Bob Auger

  • Security Focus, www.securityfocus.com, the CNN of the InfoSec world.

• E-mail:

  • Web Application Security on Security Focus, webappsec@securityfocus.com, moderated, moderate traffic. This is the de facto OWASP list and deals only with Web application security.