Exactly what Ziggy said. The techniques are the same regardless of whether its a web server, a database server, a domain controller, etc. You may be looking at a different log file and ancillary evidence, but its the same general process. The resources I provided will answer your questions. Check out the "Hackers Challenges" books as well; they walk you through real attacks and the ensuing IH/IR.
You also have to remember that a web app compromise can lead to a full-blown system compromise. You can't just fix a hole in a web app and call it a day. If a backdoor is left unnoticed and active, you'll still have a big problem on your hands. So again, regardless of whether the initial vector is a web app or a user downloading malware, you should still check when files were modified, running processes, user activity, network activity, etc.
The day you stop learning is the day you start becoming obsolete.