These are the best online resources in web application security :

• RSnake’s Blog
• OWASP
• Jeremiah Grossman’s Blog
• The Web Security Mailing List
• sla.ckers.org forum
• Web Application Security Consortium
• Security Focus Web Application Security List
• GNUCITIZEN
• cgisecurit
• Security Focus Hacking Exposed Web Applications, 2nd Edition (Joel Scambray, Mike Shema, Caleb Sima)
• Full Disclosure
• Google
• BugTraq
• XSS (Cross Site Scripting) Cheat Sheet
• Secunia
• Sylvan von Stuppe
• BlackHat
• Schneier on Security
• PaulDotCom
• Professional Pen Testing for Web Applications (Andres Andreu)
• del.icio.us (webapp security)
• FrSIRT
• IEEE S&P OSSTMM
• (IN)SECURE Magazine
• Software Security (Gary McGraw)
• 19 Deadly Sins of Software Security -(Michael Howard, David LeBlanc, John Viega)
• SecuriTeam
• qasec
• WhiteHat Security
• http://www.security.nnov.ru
• Web Security Threat Classification
• http://www.securityfocus.com/archive/107
• How to Break Web Software (Mike Andrews, James A. Whittaker)
• Microsoft
• Security Focus Penetration Testing
• SearchAppSecurity
• National Vulnerability Database
• ComputerWorld Safari Bookshelf

OWASP is happy to announce the first release of OWASP Pantera – Web
Assessment Studio. Pantera is a mix between a pentest proxy, an application
scanner, and an intelligent analysis framework. Pantera’s goal is to leave
the analysis and automatic (repetitive) stuff to the engine, leaving only
the important decisions to the security expert.
Great tool !
OWASP Pantera Web Assessment Studio Project

The Open Web Application Security Project (OWASP) is dedicated to finding and fighting the causes of insecure software. Everything here is free and open source.
OWASP has released the Security Testing Guide v2 .At 270 pages, this guide is already a must-have for most developers and penetration/application testers, but we want to take it one step further and make sure that everything is 100%.
The team leaders of this project are Eoin Keary – Editor and Matteo Meucci – Autumn of Code Lead .

Get it here :
http://www.owasp.org/index.php/OWASP_Testing_Guide_v2_Table_of_Contents

I came across an ingenious way of breaking the same-origin policy by undermining dns-pinning : http://shampoo.antville.org/stories/1451301/ Voila, the intranet is wide open ! Good work.