And legal issues ;) If you're a total newbie, you can A) Search forums (and blogs) for tutorials on Web Application Security; B) Read The Web Application Hackers Handbook.
Both things are worth doing, even though I didn't read the second one, it certainly did look interesting ;) I think reading that book will probably be a shortcut to most, to get most of the basics and even some more advanced stuff.
When you're ready to dive into the more advanced stuff, with or without programming knowledge, you need to find some good resources for web app sec like ha.ckers.org, etc. ;) (Find them yourself, you should. If you're going to become a real hardcore web app hacker.)
And last but not least, learn how to spot coding errors in e.g. PHP scripts so you can find 0days yourself as well. Sometimes, it's boring to look through a billion lines of code, but then you can alternatively grab a copy of the web app, install it on your own server, test it for vulnerabilities ;) (With your own
methods, NO automated scanners. In most popular web app's they wouldn't do any good except waste your time. This doesn't apply to addons for popular web apps, as the addons are often vulnerable.)
CTRLS wrote:Well I know most of that but isnt there more to it
There's A LOT more to it thank you think!
Create something like this: http://www.exploit-db.com/vbseo-from-xs ... php-shell/
That's pretty much when I go in-depth with my skills, to prove that even XSS can be deadly if you just use your knowledge (and imagination) right.