By the Book
There are lots of methodologies, more or less formal, for testing your web app’s security. OWASP is, of course, a biggie.
https://www.owasp.org/images/5/52/OWASP_Testing_Guide_v4.pdf
And don’t forget tools for particular platforms, for instance WordPress.
http://wpscan.org/ (this is great)