I like Hacking Web Applications Exposed, second edition. I really do. Here's the foreword I wrote:
"Reveals the magic behind the attacks that are so pervasive on the Web today. Knowing the attacks is a first step towards figuring out effective countermeasures. The authors's style makes the information real and practical, while sharing their real-life experience."
Joel Scambrary, Mike Shema, and Caleb Sima are the authors. What you might know about Joel Scambrary is his previous Hacking Exposed books. What you might not know about him is that he ran the security operations for MSN. I worked closely with Joel, during our Improving Web Application Security:Threats and Countermeasures days. He shared my passion for chunking up information to deal with tough problems. We had lots of deep conversations about using buckets to break security down into manageable chunks and driving action. I miss our talks.
I first got to see Caleb Sima in action at one of our Microsoft hosted security events. He's one of the most entertaining presenters I've seen. He walked through a Web attack weaving a story of suspense and drama, full of amusing twists and turns.
Bottom line - the book is insightful, practical, and the authors do a great job of interspersing actionable nuggets throughout.