When I was learning web penetration testing / security, I found it really hard to put the bits and pieces together. There are a lot of labs, but the basics are not really explained in depth. The attack simply "works" and you are left thinking why it did. After 7 years in AppSec, I built AppSecMaster, with clear learning tracks for all skill levels. Each lab has its code attached, where you can spot the insecure code and also a live instance for you to test on. Solutions are explained in detail, starting from the core concepts. For expert level users, we also have big applications (mansions) that help prepare you for top level code review certifications.

Best of luck to all