I am looking at pursuing a career into the security field, I have a few years of admin on both the Windows/Network side and comfortable with linux and learning more everyday with it. But as I continue to pursue my CISSP and other security training I see more and more talk about application and web application security.

I want to start off by saying I have a decent grasp and conceptual knowledge of OS level attacking, and exploiting a machine on that level. However what i have a problem with and lack a good understanding as I am trying to learn more about security is web application/code/XSS and being able to break the code. I am not looking at cracking a compiled .exe file reverse engineering those, that will be coming later.

I have been playing around with and looking at Damn Vunerable and what they have on there iso for web vulnerabilities and using what little knowledge to try and gain what access i can, but unfortunately haven't found any good reads/tutorials on this. I have seen some of the different tools that are out there, but I would rather gain a good conceptual grasp of the underlying methods and how the attacks work before I would want to look at using a tool to do something with it.

Any guidance or a point in the write direction to learn more would be appreciated.