You can try latest version of WebGoat 5.2 to find out vulnerabilities in Web application. It describes all the information about OWASP (Open Web Application Security Projects) vulnerability classes.
WebGoat is an open source tool. You can test Cross site scription, SQL injection, DOS attack, Ajax Security, Authentication Flaws, Hidden Field manipulation, Session flaws, cookies hijacking etc........
If you need any help on Web Application Security please reply back with your queries.
I never heard any kind of book for breaking web application security and which gives all the information needed. According to me OWASP is best for it. You will get good documentation about it and also you can try it your own using WebGoat developed by OWASP.