In general, you hit the mark, that is, this is the most (well, one of the most - that's for sure) "shared" site on web application security, there are many all sorts of projects that in one way or another relate to the security of the web.
But in your case, you need to look at this project on web application penetration testing for vulnerabilities (that is, by detection). That project has a guide in pdf format (relatively fresh), where everything is very well and conveniently described, it describes all types of vulnerabilities, how to look for them (both black and gray boxes are described), how they can then be promoted, links to additional articles and, of course, tools/services to automate and help detect those vulnerabilities.
There are also articles on the site (sometimes even separate projects) on some types of vulnerabilities, it will also be interesting to read.
From CGI scanners, you can select Acunetix Web Vulnerability Scanner (but paid, dog, although the torrent is helpful), you can also see ZAP from the participants of the same OWSAP'a.
As for services: if it’s about online scanners, then, as a rule, working methods are not disclosed (especially if they are commercial), but open source scanners always have manuals on the principles of their work, but I want to note that such scanners usually reveal trivial vulnerabilities and studying their work is very won't give much in web application pentesting. If you meant services, like teams of specialists who conduct audits, then of course they don’t disclose this either, but there are organizations (as described above - OWASP) that are created just to share information and describe all kinds of techniques and tricks for the detection and exploitation of vulnerabilities, in addition to such organizations, you can learn a lot of useful information on the relevant forums (RDot.org, for example).

Guys from DefconRU translate Owasp Testing Guide https://defcon.ru/tag/owasp/