I am really interested in this field, and I would like to study more about it, in order be able to do penetration testing on it.
Unfortunatelly my company doesn't want to pay for any certification. My boss says that I have enough certifications and I need more experience (he is 50% right, but I already had all my certifications when I came to them, so they just want to profit of my hard work and my personal money spent on education).

So, my actual plan is to start with "The web application hackers handbook" and to use websec dojo's live cd. Is this enough in order to have a good start, or there are other books to start with?

I mention that I don't have programming skills in the web field, only some C++.

Thank you!

While you don't have to learn any web programming to be a web app pen tester, you will have to learn some to be a good one.  The resources that you have listed are good, but I might try to go ahead and start working on picking up some php, javascript, etc.  

So.. good web resources:
RSnake has some great resources.  Check them out at http://ha.ckers.org/ .  Specifically check out the XSS Cheat Sheet.  I go back and reference it from time to time when folks have mostly gotten data validation done correctly but have missed something.


Samurai WTF: Samurai Web Testing Framework can be found at  http://samurai.inguardians.com/ .  This live cd distribution has many of the tools that you will want to become familiar with.  This is a pretty lightweight distribution with great tools, and is a great start

I'm sure others will post more

First off, I think the answer your manager gave you is an asshat managers answer.  A manager should be supportive of an employees desire to certify/educate.

What exactly do you do for your company?  Does the certification directly relate to your job?  If so, it would be an easier sell... but anyway...

I think you might find some great resources from OWASP, http://www.owasp.org.

Good luck!

Here's a couple more links that might be useful! (If you haven't taken a look into them yet)

Damn Vulnerable Web App:
http://dvwa.co.uk/

And maybe even look into LearnSecurityOnline's, "So You Want To Be A Web App Pentester" course. It looks like a good price.

http://www.learnsecurityonline.com/offerings/courses/224-so-you-wanna-be-a-webapp-pentester

-Cheers

Well.. me again.

As I mentioned in one post I had a lot of free time at my job, because they don't have many contracts (they are a consulting company). And it wasn't only me, there were more guys that did almost nothing. But because I was the last one employed I got fired Friday. This wasn't fair because I have quit my previous job only because they promised me that I'll have a lot of things to do and I'll learn a lot by doing contracts under the supervision of someone more experienced. But the reality was different. 

So, now I have a lot of free time. My dilemma is if I should continue with studying penetration testing (by myself only) or I should go on another direction.

I know that there are many opportunities in firewalls field, but I don't have experience and knowledge (even if I am able to study them). Also, I really don't like this domain, it is not suitable with my personality and way of thinking.

So my problem, should I continue and study hard for the next few months penetration testing (network, web application and system) or I should change the field just to be able to have more chances to find a decent job.

Besides pentesting I will improve my knowledge in risk analysis and project management.

Thank you!

@ Ketchup

This was the type of company I was working for, only that it was very small, 10 employees. Also, most of the companies wants to hire you as a consultant and send you to do contracts. They only want to make money on you, not to train you at all.