A nice quick and dirty list of things to test for during a penetration test as well as to keep in mind when developing a web application can be found here.

If you haven’t came across it before, you should also check out the OWASP’s top 10 most critical web application flaws.