This list features free and open source learning materials aimed at those with little or no experience in information security. To find trickier vulnerabilities, like business logic flaws or race conditions, you must have a complete understanding of how the Internet and web applications function. For those purely interested in finding vulnerabilities for bug bounty programs, there are open source scripts you can use to quickly scan web apps. The best tool to start with is Burp Suite Community Edition, which intercepts HTTP traffic so you can manually alter requests.”]
Source: https://www.darkreading.com/application-security/the-hitchhiker-s-guide-to-web-app-pen-testing