It always amazes me how many web programmers do not understand the myriad ways a web application can be vulnerable.
Often, such vulnerabilities go unaddressed due to ignorance or reluctance to accept responsibility.
However, while the humor in Bobby Tables is immediately apparent to me, I cannot claim to understand all possible ways to attack a web application. I just know that there are possibly a zillion ways of attacking anything I write with malicious people thinking up new ways every day.
Enter Google's Web Application Exploits and Defenses code lab.
It exposed me at least six ways of attacking a web app that I had not thought of before.
Now, of course, one can claim that such a well written and detailed hands-on workshop in how to exploit web apps is dangerous because it can also be used by malicious people.
I would point out that there is no shortage of information and/or tools for such people. They seem to be much more motivated and better adapted to attack web applications than the median programmer and systems administrator seems to be to protect them.
If you are in that group of well-intentioned people but suspect that your understanding of web application security may not be all it needs to be, or even if you think you are the best of the best of the best but could use the practice, try Web Application Exploits and Defenses. Your time will not be wasted.