As I said, it’s difficult to answer that question in a generic way that applies to everyone.
But if you already understand all basic attacks you are in a better position than me when I started. So, you are ready to go to find some bugs. However, it takes a lot time (at least it takes me a lot of time) and you should never give up learning, otherwise you are going to be looking for the same things for years to come. 
thank you so much @stefanofinding
1 Like
Thank @stefanofinding for your advices. I think the most important tip is “Don’t give up”
2 Likes
I agree. 
1 Like
Hi bro i think u r from hyd
If u ra msg mee
yes bro… how you know
By seeing ur name
If u are intrest to talk with me send ur fb id or twitter accont
1 Like
You can use zap also. This is completely free from OWASP and have lots of similar features of Burp. Refer to the link
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Sometimes you get challenges in the configuration of HTTPS in this kind of tool. Go through the documentation of how to setup the certificate for HTTPS. And also be aware of the port you are using in HTTP proxy tool.
practice you can use and many others
https://google-gruyere.appspot.com/
https://sourceforge.net/projects/mutillidae/
mutillidae is my favorite to practice on as it has many (at least 50 vulnerabilities) and is updated maybe once/twice a month
also read all the disclosed reports on hackerone and medium, maybe make a note of all the vulnerable payloads and endpoints for future reference. eg when testing websites lookup previous payloads and test them. I probably spend 60-70 per cent of my working day reading. i will gradually narrow that down as I soak up the knowledge and then have more time to actually find bugs