Programming just like testing is just as much science as it is an art. There are components in a program like – Clients, servers, state, user inputs. Most coding part has some rules and most popular technologies also have user communities that lay down the “best practices” for coding in them. The fun to test them is to figure out where there was a loss of creativity or simple laziness or poor integration which is causing the system to expose their vulnerabilities. It is important to understand the web architecture and have a threat model prepared for it. There are rules that coders lay down for page access and session management based on the state designed by them – in order to control the security of the application. How good do you understand these while testing?
The idea is to learn how to do a proper web application testing – this will involve exploratory testing, threat modelling, learning web architecture and associated risks – server and client vulnerabilities, user inputs based vulnerabilities and attacks, technology and programming language based loop holes, vulnerabilities due to state information and some basic privacy testing and threats around web services.