The simplest testing does not require a large amount of knowledge, it can often be carried out using automated tools. Programming skills are not required for an ethical hacker, but they can help in the profession. This will give an understanding of the groups of errors that could have been made by IT specialists developing the site.

For example, some programming languages do not have a standard way to encode special characters into HTML objects, so you can start by searching for injection sites using query strings that can allow cross-site scripting.

The PHP language for working with MySQL-compatible databases usually uses standard interfaces that send each request as a separate message. Therefore, even if the site does not clean up the entered parameters of SQL queries, it may turn out that it is impossible to use command breakdown symbols to execute third-party code.

The ability to understand the protocols used by the service will also be an advantage.

You may already have tools to check the protection against forced password selection in the HTML form for the login, but if the site also offers access via the POP3 protocol and you can study the documentation for this protocol, you will have the opportunity to program your own tool to break the password for the POP3 login. This protocol is open, and studying it can give you useful knowledge.