Web Resources

• OverTheWire: Natas is like Bandit, but now you learn about some basic web vulnerabilities
• OWASP Top 10 represents the most common web app vulnerabilities and is a standard for web app security. You can practice these attacks in OWASP Juice Shop, which is the TryHackMe version where you can deploy an instance to work with.
• PortSwigger Web Security Academy is a free set of web application security labs made by the same people who made BurpSuite, which is the de facto tool when dealing with the web.
• HTB CBBH Course is a course that builds up to a certification from HackTheBox that means nothing. However, the course content is put together very well and focuses a lot on bug bounty (mitigations are mentioned, though), and with a student email, only costs you $8 a month to get full access to (very good deal!!!!).
• swisskyrepo/PayloadsAllTheThings documents payloads for every kind of web vulnerability you could ever imagine, so if you're trying to bypass something or look for an exploit you've never heard of, this is the place to look
• Practical Web Application Security & Testing is a $30 course by Michael Taggart that takes you from zero to 1 with learning the basics of web app testing. If you learn best with guided content, this might be a good investment to make.

Books

As a Lewis student, you have access to O'Rielly Library, which I highly recommend that you take advantage of.

• Bug Bounty Bootcamp - Vickie Li isn't entirely about web hacking, as bug bounty is its own small world, but still has good information
• Hacking APIs - Corey J. Ball is specifically focused on testing APIs, which are generally forgotten about since users aren't meant to interact with them.