In this session, I will first explain the differences between penetration testing and vulnerability scanning, and then introduce how to use the built-in developer tools in browsers to observe web application behaviors and perform manual testing. Meanwhile, I will share common vulnerabilities and testing techniques used through real world cases & vulnerable apps . I hope that the audience can get started on web application penetraton testing in daily work without professional tools after this session.