I'm tentatively hoping to spend Monday nights working on some web security knowledge improvement. In my day job this comes up every now and then. The motivation for spending some time on web application security is that a while back, I worked with the folks who set up XSS protection for the day job, and we came up with a pretty cool regular expression. Also, it seems like because I have played with the authentication mechanisms a few times for the current day job, authentication integrity and site protection from lawsuits seems to crop up a bit.
Recently I've found Gruyere and WebGoat to be two very interesting and easy to set up starting points. I also want to investigate FireSheep and play with it a little as well. I'm going to start with WebGoat due to the wealth of quality material on the owasp.org website to provide explanations, and a lack of Python familiarity to date.
WebGoat is a Tomcat/java web application that can be downloaded via maven or a pre-configured zip file with java and tomcat preconfigured. Despite the 60+MB I decided it would be quicker to download a self-contained application to get up and running.
While I was waiting for the download a good read is the OWASP top ten for 2010: http://www.owasp.org/index.php/Top_10_2010-Main