Web app pen testing methodology: map application (crawl, spider) → analyze architecture → test each endpoint for OWASP Top 10 vulnerabilities → document findings → report.
OWASP Testing Guide (WSTG) provides comprehensive test cases for every web vulnerability type. Burp Suite is the primary tool. Focus on: authentication, authorization (IDOR), injection, session management, business logic flaws. Business logic flaws require manual testing — scanners miss them.