This. For me, the "aha" moment of web security was when I completely understood HTTP. Once you understand the protocol itself, and start realizing things like "cookies are a hack, because they are just another header" and "why do we need SNI".
The second most common issue I see is XSS vectors, and for that, you just have to get down and learn about all the features (and edge cases) that javascript/HTML5 has. For instance, things like not storing sensitive data in localStorage.
Or that some applications write their own cookie handlers (which are injectable). Or that some frameworks don't handle the request header properly. Or that you'll sometimes see custom headers that you can donk with.
Being clever at XSS/CSRF is what forced me to learn javascript in the first place. Also worth writing your own instead of using existing stuff like jquery.
The second most common issue I see is XSS vectors, and for that, you just have to get down and learn about all the features (and edge cases) that javascript/HTML5 has. For instance, things like not storing sensitive data in localStorage.