While this doesn’t directly teach you by giving you instructions, it gives you the hands on experience you’ll need, best to use to attack while you follow along some other tutorial(s), of which I’ll list below.
Anyway, it is called Juice Shop: https://github.com/bkimminich/juice-shop
Juice Shop is a web application built with modern technologies. A lot of the vulnerabilities are frequently found in real-world apps, which makes Juice Shop so good - it is essentially a real-world app.
Now, with Juice Shop installed, you want to attack it. You might follow along the videos and CTFs created by HackerOne (a bug bounty platform): https://www.hackerone.com/hacker101 to get a feel for things. The book considered to be the holy grail of web application security is The Web Application Hacker’s Handbook. It’s a little old, but is still super useful. You might also find The Tangled Web a to be useful.
Some additional resources:
https://pentesterlab.com/ (Offers free, but is mostly premium $19.99/month)
Also, an extremely useful tool to have is Burp Suite: https://portswigger.net/burp (created by the coauthor of the Web Application Hacker’s Handbook). OWASP also has ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project.
Anyway, a glimpse threw the Web Application Hacker’s Handbook will provide a solid understanding into attacking web applications, it is invaluable. I hope this provides enough for you to dig into. However, I apologize that it isn’t in a much better order.