Here is a list of resources to learn about security.

The following links are mostly about the basis of binary exploitation and reverse engineering:

• The basis of assembly language (x86, 32 bits) : link
• The basis of assembly language (x86, 64 bits): link
• The basis of binary exploitation on Linux: link
• The basis of stack base buffer overflow exploitation: link
• The basis of format string exploitation: link
• Software security courses on Coursera: link
• The Shellcoder's Handbook, discovering and exploiting security holes.
• Basic security protections and how to bypass them: link

More in-depth binary exploitation:

• No whitespace shellcode: link
• Advance format string exploitation: link, link, link
• Return Oriented Programming: link, link, link
• Exploit C++ virtual tables: link
• Information leakage with Stack Smashing Protector: link
• Sigreturn Oriented Programming: link
• X86 calling conventions: link
• Syscall table for Linux, x86_64: link
• Syscall table for Linux, x86: link
• The .init and .fini sections: link
• The .dtors section: link
• Understand dynamic library calls (using the PTL and GOT): link
• Heap buffer overflow exploitation: link, link, link, link

Recent papers about binary exploitation:

• Attacking Branch Predictors to Bypass ASLR: link
• Blind Return Oriented Programming: paper, website

Common knowledge & vulnerabilities:

• HTTP: link
• The Web Application Hacker's Handbook
• Information disclosure using robots.txt: link
• Information disclosure: .git, .svn, index.phps, index.php~, index.php.swp
• Session hijacking: link
• Cross Site scripting (XSS): link, link, link, link
• Cross Site Request Forgery (CSRF): link
• Command Injection: link
• HTTP Response Splitting: link, link
• HTTP Header Injection: link
• HTTP Verb Tampering - Bypass badly written .htaccess: link
• HTTP Request Smuggling: link
• Bypass improper PHP redirections: link
• PHP Path Truncation: link
• Full path disclosure: link
• Local and Remote File Inclusion (LFI, RFI): link, link, link, link, link
• Local File Inclusion and /proc/self/environ: link
• Null byte + File Inclusion: link
• Null byte in PHP preg_replace: link
• PHP Upload: link
• PHP Type Juggling: link, link
• PHP Unserialize: link
• Python pickle: link, link, link
• Server Side Template Injection: link
• SQL Injection: link, link, link
• SQL Injection, bypass PHP addslashes(): link, link
• SQL Injection, bypass filters: link, link, link, link
• Blind SQL Injection: link, link
• Time based Blind SQL Injection: link
• NoSQL Injection: link
• Time based Blind NoSQL Injection: link
• XPath Injection: link, link
• Blind XPath Injection: link, link
• XML Injection (using XXE): link
• LDAP Injection: link, link

Recent papers about server side web security:

• mXSS Attacks: Attacking well-secured Web-Applications by using innerHTML Mutations: paper

• Generate MD5 collisions: link