Know your Enemy: Web Application Threats
jamie riden, ryan mcgeehan, brian engert and michael mueter just released an honeynet paper on web security called: know your enemy: web application threats.
the paper is very good, and deals with all kinds of web threats such as sql injection and xss. of most interest to me were the code injection and remote code-inclusion, as you remember we published a paper of our own this month on these specific issues in the virus bulletin magazine. the honeynet paper deals with many issues other than these, and is most definitely recommended reading.
in our paper we linked to an older paper by jamie riden. these guys know what they are talking about.