This document provides guidance on how to start web application penetration testing. It recommends gaining basic knowledge of web technologies like HTTP, HTML, and JavaScript as well as common web vulnerabilities. Tools mentioned include web proxies like Burp Suite and web spiders. The workflow outlined includes information gathering, authentication testing, session management testing, authorization testing, parameter fuzzing, file uploads testing, and denial of service testing. Specific techniques are described for each part of the testing process, such as identifying all application entry points, brute forcing credentials, investigating session tokens, and ensuring proper session termination.