Now days, every business of any domain that is education, sports, heath, gaming, service etc or any government organization are online i.e. they have a web application. Each and every web application have large amount of confidential data related to their users or important data about their organization and it can be extremely destructive if it goes in the hand of wrong and unauthorized person. This paper focuses on determining whether the developed web application is secured against different and most destructive types of web attacks or not. This paper not only describes about destructive web application attacks but it also elaborates each and every step a pen tester need to follow to detect each type of vulnerability, and how to exploit it to perform unauthorized actions as firstly it is necessary to find whether an application is vulnerable to any attack or not before directly going towards taking all precaution steps towards all type of vulnerability. And moreover penetration testing also gives a clear idea of the specific part or the functionality of the targeted web application which is vulnerable to which particular type of attack.