application attacks
monthly updated list of best known website application hacks http://www.webappsec.org/documents/real_world_web_hacking.shtml
Divide and Conquer - HTTP Response Splitting, Web Cache Poisoning Attacks, andaeRelated Topics Released: March, 2004 http://www.webappsec.org/whitepapers.shtml and Technical Note: Detecting and Preventing HTTP Response Splitting and HTTP Request Smuggling Attacks at the TCP Level http://www.webappsec.org/lists/websecurity/archive/2005-08/msg00044.html
http://www.ngssoftware.com/papers/StoppingAutomatedAttackTools.pdf stopping automated attack tools
http://www.ngssoftware.com/papers.htm here is a good bunch of papers about mysql, webapp security, dns, mail and so on
http://www.webappsec.org/lists/websecurity/archive/2005-09/index.html#00013 webapplication security mailinglist http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/whitepapers.html application security
https://www.threatsandcountermeasures.com/wiki/default.aspx/ Original.ThreatsAndCountermeasures.HomePage Wiki for Improving Web Application Security: Threats and Countermeasures Roadmap was written by J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan at Microsoft Corporation and released in June 2003. A HTML version of the guide was originally posted at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/ThreatCounter.asp
http://www.cgisecurity.com/ application security and proof of concept code
SAMATE - Software Assurance Metrics and Tool Evaluation is in support of the Department of Homeland Security's Software Assurance Tools and R&D Requirements Identification Program. The objective of part 3, Technology (Tools and Requirements) is the identification, enhancement and development of software assurance tools. NIST is leading in (A) testing software evaluation tools, (B) measuring the effectiveness of tools, and (C) identifying gaps in tools and methods. http://samate.nist.gov/index.php/Main_Page
http://portswigger.net/suite/ free web application attack suite better attack your webportals before someone else does it
some links about php security http://brainbulb.com/talks/php-security-audit-howto.pdf and http://brainbulb.com/talks/php-security-briefing.pdf and http://phpsec.org/
Open source web application firewall www.modsecurity.org
http://www.fiddlertool.com/fiddler/ examines all the traffic between computer and fiddler and http://www.parosproxy.org/index.shtml a webproxy for analysing the security of web applications and http://www.vulnwatch.org/netcat/ Can be used to work as a browser and to record the traffic
http://palisade.paladion.net/issues/2005Jul/xpath-injection/ xpath xml attacks
http://www.softwaremag.com/L.cfm?Doc=2005-07/2005-07 code checking software code for security 7-05
http://www.siterecon.com/HTMLComments.aspx HTML comment tags are an often-overlooked programming mistake that can reveal sensitive information about your site. Several press organizations have warned that search engines like Google and Altavista are providing hackers with userids, passwords, credit cards numbers, classified documents, and other sensitive internal information due to comments in html code. list of databases with ports