Many conference talks that address web application security or penetration testing focus on the OWASP Top 10 to frame the discussion, but that's not realistic! In this talk, the focus is on a realistic approach and walkthrough of web application penetration testing, aimed at the red team interested in or doing these kinds of assessments and the blue team/developers that need to better defend applications.