If you don't know who this is, he wrote one of my favourite books on web (browser) security: "The Tangled Web" [1].

Another lesser known book by him is also worth a read: "Silence on the Wire" that takes a look at the full information security stack from the keyboard you type on, to the wires the data transits, to the internet protocols, etc [2] and looking at how each stage exposes/protects data.

And has quite an interesting history in infosec beyond that [3].

[1] https://www.amazon.com/Tangled-Web-Securing-Modern-Applicati...

[2] https://www.amazon.com/Silence-Wire-Passive-Reconnaissance-I...

[3] https://en.wikipedia.org/wiki/Micha%C5%82_Zalewski

my biggest realisation of this was when reading the opening chapters to Michel Zalewski's Tangled web [1]. He does an excellent brief intro to how we got to where we are, warts and all.

Things like content sniffing where a browser can't work out what type of file it's been given, so has an algorithm to take a guess and render based on that are what we've got to deal with.

[1] https://www.amazon.com/Tangled-Web-Securing-Modern-Applicati...

OWASP is a massively disorganized, vendor-driven, volunteer (read: soapbox-as-a-service) organization littered with half-completed, abandoned projects. That said, there are a small few that are "ok".

I like using ASVS as a checklist when doing a webapp pentest:

https://www.owasp.org/index.php/Category:OWASP_Application_S...

The OWASP testing guide is an incredibly verbose walkthrough for finding most types of web vulns:

https://www.owasp.org/index.php/Category:OWASP_Testing_Proje...

Some of the cheat sheets are ok, but many are littered with incorrect and incomplete info, so take them with a grain of salt:

https://www.owasp.org/index.php/Cheat_Sheets

All that said, I think that most (all?) professional web security testers use Burp Suite and have a copy of The Web Application Hacker's Handbook (2nd) on their desk. The book's authors wrote an on-demand assault course to help learn the concepts in the book and it is pretty decent. About $200 and you'll get most of the way through it. A few people I've known that went through it gave it good reviews.

http://mdsec.net/

I think the second book most web security testers have on their desk is The Tangled Web by Michal Zalewski (of afl-fuzz and ratproxy fame). If you have a chance, reading the ratproxy source can be an informative way to learn how a web scanner is built and about the vulns it can find:

http://www.amazon.com/The-Tangled-Web-Securing-Applications/...

https://code.google.com/p/ratproxy/

Finally, the last and probably best way to learn web security is to play in a CTF. These are time-compressed challenges that last 24-72 hours where teams of competitors hack purposefully vulnerable applications to score points. Here's a calendar of upcoming competitions and a little guide I wrote about them:

https://ctftime.org/calendar/

https://trailofbits.github.io/ctf/

EDIT: Ah, I realize I wrote this from the perspective of learning to break web applications and included few development resources. While some of that knowledge is generic (password storage, for instance), much of that knowledge is framework-specific. For example, see the Rails security guide and brakeman:

http://guides.rubyonrails.org/security.html

http://brakemanscanner.org/

I'd also like to know Security 101 for web developers.

In a recent appsec thread, there were two books that a lot of people recommended:

http://www.amazon.com/The-Tangled-Web-Securing-Applications/...

http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...

https://news.ycombinator.com/item?id=5862102