Web app testing is a cool space. There's a lot of new, interesting territory for someone like me who has been learning network pentesting. Both are a lot of fun, but web applications have so many interesting things going on that I've found I kind of dig it. That said, there's not really a lot out there when compared to network pentesting. We have tons of vids and courses on how to get root on a box, how to run Nmap to check for services, and how to do all those cool things. They are all awesome skills, but you won't find as much material explaining the process of attacking a web app. Still, there are a handful of free resources that can defintely get you started.
Free learning resources
- Port Swigger Academy -https://portswigger.net/web-security
- Hacker101 - https://www.hacker101.com
- Web Hacking 101 free book - https://www.hackerone.com/blog/Hack-Learn-Earn-with-a-Free-E-Book
- OWASP Web Security Testing Guide - https://owasp.org/www-project-web-security-testing-guide/