For you to become good with web application security testing this is the baseline required.
|Working||You can write code, execute commands etc. Basically do hands-on|
|Basic||You are aware of, you can read code and build on it while on the job|
- Working knowledge of HTML
- Basic knowledge of CSS
- Working knowledge HTTP
- Working knowledge of at least 1 server side programming language. In order of preference (nodejs, Python, PHP, Java)
- Working knowledge of setting up a website in a linux server (locally in a virtual machine and some where online such as Digital Ocean etc.)
- Working knowledge of setting up and managing at least 1 relational database server such as Mysql/Postgres
- Working knowledge of DNS records
- Working knowledge of command line tools and BASH scripting and Python Scripting to work on Linux/Windows computers
- Working knowledge of Burp Suite and OWASP ZAP
- Ability to document your learning using Markdown, gitbooks, mkdocs/raneto and stored using version control. (Bitbucket is an online git repo hosting solution that will give you unlimited private repos for free)
Personal Website Project (Capstone project)
Imagine an initiative you take up. (This should be done in 3-4 days of 8 hours of work once you are done with the above)
- Create your own website with dynamic content so it involves hand-coding HTML, some basic JS for client side validation, CSS to make things pretty, Server side backend to process HTML form post, saving data to database
- Configuring your own server to setup web server, database server and using this to host your website in VM and later on a public internet server
- If you host it on a public internet server you will need to buy a domain name, configure A records etc.
Once you have all of this (This will take 3-6 months)
- Working and attacking knowledge of all the vulnerabilities mentioned in OWASP Top 10 but gained by reading the OWASP Testing Guide 4.0
- Working and defending knowledge of all the above vulnerabilities gained by reading the OWASP ASVS 3.0
Now you can learn (For life)
- How to use the user driven approach to do a complete vulnerability assessment of a web application (Chapter 21 from WAHH)
- How to do a complete vulnerability assessment of a mobile application
To do these 2 there are enough number of vulnerable applications to play with.
If you do the core skills and build the personal website completely in terms of tech required you are ready to pursue security testing in any order you like. But following and building a deeper understanding of the OWASP Testing Guide and the OWASP ASVS will give an edge whether it is do bug bounty or find a job as an application security tester/researcher.
I did a talk at null Bangalore last year on how you can accelerate your learning. May be of use as well.