Personally, I feel that there is a lot to know in this respect. After learning some necessary foundations, you can try to learn the principles of some common loopholes, and at the same time broaden your knowledge and learn more. Learn some basics first. You must learn html/css/js. After opening a web page and browser developer tool, you must be able to understand the network source code and analyze the structure of the web page. Learn a footstep language as a tool in the future and recommend Python 3;; It is best to learn a server-side dynamic web language, and PHP/ASP should choose one (it is best to learn both); Understand the commonly used network protocols, at least understand the structure of http messages, and know what tcp and ip are used for; Then you can learn the principle of xss vulnerability, then learn SQL, then learn SQL injection vulnerability, then learn the necessary knowledge according to the next vulnerability you want to know, and so on.