I was on a boring conference call this morning and noticed I'd accumulated quite a glut of WebAppSec reading links. I figured I'd dump them here for people to peruse and give me a way to cleanup my bookmarks :) WebAppSec: XSS Vulnerability Shows How Security Issues Can Creep into Popular Software Sector Presentations (2014) Generic XXE Detection Hacking HTTPS -> HTTP referrers Referrer CSRF Bypass ( Not Effective But Alternative ) Playing with Content-Type – XXE on JSON Endpoints Clickjacking with Jack Your Application Security Program: Flawless Logic for Big Savings 5 Steps for a Winning AppSec Program SAML On Breaking SAML: Be Whoever You Want to Be OWASP : Auth Cheat Sheet : SAML ZAP SAML Extension (2yrs old as of 201507) Cookie Bombing Browser Cookie Limits DoS attack on CDN users Cookie Bomb or let's break the Internet The maximum total HTTP header length for BIG-IP WebAccelerator ...