Amazon.com just published my four star review of Web Application Obfuscation by Mario Heiderich, Eduardo Alberto Vela Nava, Gareth Heyes, David Lindsay. From the review:
I had really no idea what to expect when I started reading Web Application Obfuscation (WAO). I hoped it would address attacks on Web technologies, perhaps including evasion methods, but beyond that I didn't even really know how to think about whatever problem this book might address. After finishing WAO, it's only appropriate to say "wow." In short, I had no idea that Web browsers (often called "user agents" in WAO) are so universally broken. Web browser developers would probably reply that they're just trying to handle as much broken HTML as possible, but the WAO authors show this approach makes Web "security" basically impossible. I recommend reading WAO to learn just how crazy one can be when interacting with Web apps.