In a thread on StackOverflow people (programmers mostly) post about worst security holes they have ever seen. It's pretty interesting reading.
You know what's most interesting about it? If you are a practising pentester, you'll be bored half way through the first page, because you have seen most of those holes. Negative amount of pizza? You bet.
Some time ago I was thinking: how come that within a month of learning about XML external entity injection I encounter an application that is vulnerable to it and within two months of learning of Java servlets member variables race conditions I am looking at one?
Either it is an amazing case of synchronicity or the web applications are generally so buggy that you are guaranteed to encounter every conceivable security bug within next (let's say) three months.
