Web application security readings

Articles:

• Mozilla Web Application Security (quick reading, 10 min)
• Browser Security Handbook (quick reading, 30 min)
• OWASP Cheat Sheets (quite comprehensive reading, several hours)
• How Browsers Work

Slides:

• Cross Site Scripting (XSS) Slides from Mozilla Security Learning Center (38 pages, 10 min)
• Web Application Security: Hands On Slides from Michael Coates 

Specifications:

• CSP (Content Security Policy): a W3C draft spec that defines fine grained security policies for resource loading to mitigate the risk of injection attacks such as XSS. The policy per resource representation is defined in new header is Content-Security-Policy. Firefox and Chrome is experimenting in headers X-Content-Security-Policy and X-WebKit-CSP respectively. The spec also defines a report-only mode without browser enforcing the policy but sending violation reports to the server, which is helpful for gradually enforcing the right policy.

Books:

• "The Web Application Hacker's Handbook (2nd)"
• "Web Security, Privacy and Commerce"
• "Hacking: the Next Generation"