Is programming knowledge required for web application penetration testing?

Not required at first, but you will need it to move up the ladder (in proficiency). Here’s why:-

  1. For DAST (Dynamic Application Security Testing), aka looking for security weaknesses when the application is running, understanding how a web application flows helps in identifying weaknesses in the coding. While you do NOT need to learn it at the same level as a programmer does, knowing it will enable you to look in the corners that other usually won’t look.
  2. A web application builds up (and runs on) lot of code (not written by the developer of the application). Those code packages (also called third party libraries, e.g., jQuery, Bootstrap, Laravel, Django, etc.) have been fortified by secure code, eradicating low hanging fruits (aka easily identifiable by script kiddies). These days, understanding nuances of a programming language helps a tester to (here i go again) look in the corners that others usually won’t look.
  3. If you are doing SAST (Static Application Security Test), aka source code security review, understanding the language is a definite requirement.