Picture was taken from http://www.tankado.com
This is a small post about how to start web security. Idea is to put just 2 things. Two sites for practice, one good book and docker example of the vuln web app.
Site 1 Web security academy
Site 2 CTF hacker 101
Damn Vuln Web App DVWA docker
Besides this, you will need Burp suite and Kali or Blackarch.
This is a short intro in this area. Read a book, apply to sites or docker, and practice.