Can't really go wrong with <a href="https://portswigger.net/web-security" rel="nofollow">https://portswigger.net/web-security</a> , which is a spiritual successor to the Web Application Hacker's handbook 2nd edition. If you want more practice, take a look at things like TryHackMe and HackTheBox, both of which have plenty of web-focused modules to work through as well.