The OWASP top ten

https://owasp.org/www-project-top-ten/

Portswigger's (of Burp fame) free online web security courses

https://portswigger.net/web-security

Create simulated web logs for threat hunting

https://github.com/punk-security/pwnspoof

HTTP Security Headers and what they do

https://nullsweep.com/http-security-headers-a-complete-guide/

NCC's guide to "Common Security Issues in Financially Oriented Web Applications"

https://www.nccgroup.com/globalassets/our-research/uk/images/common_security_issues_in_financially-orientated_web.pdf.pdf

A list of useful payloads and bypasses for Web Application Security

https://github.com/swisskyrepo/PayloadsAllTheThings

MITRE CAPEC

http://capec.mitre.org/index.html

Learn SQL with the SQL murder mystery

https://mystery.knightlab.com/

SQL query builder

http://sqlfiddle.com/

SQL Injection

https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet

https://portswigger.net/web-security/sql-injection/cheat-sheet

https://www.websec.ca/kb/sql_injection

XSS payloads

https://github.com/payloadbox/xss-payload-list