I am interested in learning about how hackers find and exploit vulnerabilities. Specifically about windows hacking and web hacking i.e. I’m NOT interested in linux/unix stuff.

Are there any good websites with technical articles about specifically how to find, exploit and block vulnerabilities with code samples and tools used.

I can do a quick search and there are a load of sites but i'm looking for something with a little more quality geared towards an audience with a programming and web background.

Even a good book but only if it's windows/web specific

Thanks a lot

Smashing the Stack for Fun and Profit is the classic Phrack article on writing buffer overflow exploits.

A good starting point for a web developper would be the Open Web Application Security Project (OWASP). They have a lot of ressources on the subject of Web Application Security and on some on application security in general. You can get some of the wisdom of that side in book form.

Try Simpson Garfinkel's book on web security first.

I highly recommend:

Hacking: The Art of Exploitation

Gray Hat Hacking, Second Edition: The Ethical Hacker's Handbook

I liked the Web Security Testing Cookbook. Some non-Windows stuff in there. The focus is on testing and using tools to find problems.

Subscribe to Schneier on Security. It's a great security blog.

For web hacking I recommend reading the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (very good book with lots of examples. It also shows you the tools which will get you started).

Also for web hacking I recommend completing and understanding all the challenges you can solve by downloading the WebGoat

See the top 100 network security tools list at http://sectools.org/.

I think what you'll need would be to join some hackers community which would provide many missions where you'd have to find the exploits yourself.... understand that if you have learn hacking you'd have to hack something...... www.enigmagroup.org would be an useful one... www.securitytube.net from here you can get videos on almost every security related issue...

Don't get me wrong but if you really want to understand security stuff, Linux is really the way to go. There, you'll really learn the fundamental, i.e. things that is important everywhere (encryption, ASM, programming, protocols, [etc]). However, on Linux, you'll be able to read real code and use/find real exploit (and of course, send bug fix). You'll also find a lot more documentation and a really nice community.

I know I'm biased toward Linux and you'll probably think I completely missed your question. However, I know friends of mine who asked me the same question and I told them what I've just told you.

Once you know the base, you can easily find the documentation you want (reading RFC, learning new languages, architectures, tools, source code, etc..) This is by far better then to know a procedure to execute an exploit without understanding why it exists.

One last thing, the best hacker does't find exploit by guessing.. they have a perfect understanding on the underlying structure and see something wrong. Then, some exploit it, other send a patch to fix it - this is not the right place to argue about it - however, they are both experts in this domain.