[elptacek]

Skimmed the responses, and I don't think anyone has said this, so...

Write a web app. Find the least friendly, most bare bones server in whatever your favorite language is (sinatra, flask, gin-gonic). Write as much of the MVC stuff as you can yourself. You will unintentionally implement at least one of the OWASP top 10 bugs. Maybe try to intentionally implement as many of them as you can.

So far the most educational coding I've done is writing a web proxy and a web router. Pentesting forced me to look at most parts of an HTTP request... rewriting headers, implementing session stores and (trying to) handle SSL has all been painfully educational.

[captn3m0]

This. For me, the "aha" moment of web security was when I completely understood HTTP. Once you understand the protocol itself, and start realizing things like "cookies are a hack, because they are just another header" and "why do we need SNI".

The second most common issue I see is XSS vectors, and for that, you just have to get down and learn about all the features (and edge cases) that javascript/HTML5 has. For instance, things like not storing sensitive data in localStorage.

[elptacek]

Or that some applications write their own cookie handlers (which are injectable). Or that some frameworks don't handle the request header properly. Or that you'll sometimes see custom headers that you can donk with.

Being clever at XSS/CSRF is what forced me to learn javascript in the first place. Also worth writing your own instead of using existing stuff like jquery.