The WASC (Web Application Security Consortium) has just released the second version of their Threat Classification document. It contains a list of all the classes of attacks and weaknesses they have identified as being relevant to web applications. Personally, I like using it to supplement developer education materials but there are a number of ways you can use it (they suggest a few here: http://projects.webappsec.org/Using-the-Threat-Classification)

I wholeheartedly encourage y'all to check it out:

http://projects.webappsec.org/Threat-Classification

http://projects.webappsec.org/Threat-Classification-FAQ