What's the best resource to learn web-app pentesting?

Can't really go wrong with https://portswigger.net/web-security , which is a spiritual successor to the Web Application Hacker's handbook 2nd edition. If you want more practice, take a look at things like TryHackMe and HackTheBox, both of which have plenty of web-focused modules to work through as well.