A web-designing language is HTML, so is CSS. Learning these are fairly simple, as HTML is the framework, the building blocks (and windows), while CSS, is the paint / design. Most HTML tags has a start and an end, e.g., <b>Hello World</b>. (Bold text.)
There isn't much to know / learn about HTML, except if you want to follow coding standards which has pretty much nothing to do with web app pentesting, besides you can look at code and think it looks horrible. So all you need to know is how to create a simple HTML page, and how the tags, attributes, values, and such work. (A good thing to know, is what you can use in specific tags, such as eventhandlers. You don't need to memorize this, you can just use w3schools.com for starters and lookup tags there most of the time.)
A simple HTML page is this:
XML, yet another language. What is it? Generally, it's just information stored in a simple language format, that can be parsed by a lot of programs, and websites. Of course, each program or website has its own way of creating these files (the content within which can be read with a text editor), but in essence XML is cross-compatible with anything that can read XML. (It may not work as intended from a website to a program, but it should be possible to do in most cases.)
So XML can be information shared dynamically in an open format.
It may seem like a lot, but most of it is really not. The biggest areas that may seem advanced or like a lot, are:
- Advanced SQL queries (Using CAST(), Encoding Schemes, CASE, etc.)
- PHP (Source code review where e.g., preg_replace() is used, or even htmlentities() is used properly but not implemented correct)
- HTML5 and CSS3, both has a lot of new features that even I haven't fully looked into.
You should try to get the basics first before learning about those in depth.
1) There's a lot to know about web app sec, but for starters and up to intermediate level, look at the Owasp Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
and the Testing Project: https://www.owasp.org/index.php/OWASP_Testing_Project
2) Learn how to make basic applications in the languages you want to know, and of course more importantly know how to read the syntax. If you can read the syntax and generally know how a language is built, then you only need to find out what specific functions do. Using the "xxxxx for pentesters" books can be good, but keep in mind some of them may be quite advanced and discuss topics like buffer overflows which may seem hard to grasp at some points. You can check out "Gray Hat Python", but take a look at the contents first.
About your list, I think you should remove Python or Perl and add PHP instead. It's good to know how both are "built", but generally people use either Perl or Python. A long time ago, it was as if all hackers only used Perl, but now it seems like more has gone over to using Python, and well, I prefer Python too
So learn Perl or Python, and PHP, instead of learning both scripting languages which you don't really need to, except the syntax and how they function.