Before you can secure a web app you must see it as an attacker does — as raw HTTP requests you can read and modify. Set up a lab and an intercepting proxy, legally.
Why: attacking a web app you do not own is illegal — this entire course is for building secure apps and testing systems you have written permission to test (a pentest engagement, a bug bounty in scope, or a lab you control). When: set up a local deliberately-vulnerable app so you can practice safely. Where: OWASP Juice Shop and DVWA exist precisely so you can learn these techniques legally.
# Run a deliberately-vulnerable app LOCALLY to practice against (legal):
docker run -d -p 3000:3000 bkimminich/juice-shop # OWASP Juice Shop
# Golden rule: only test systems you OWN or are explicitly authorized to test.
# Unauthorized testing is a crime. This course targets your own lab.Why: a web app is just code that responds to HTTP requests, and every request — its method, path, headers, cookies, and body — is fully controlled by the client, so none of it can be trusted. When: think of each request as attacker-controllable input. Where: the server is the only trust boundary; anything enforced only in the browser can be bypassed by sending the request directly.
POST /api/login HTTP/1.1
Host: localhost:3000
Content-Type: application/json
Cookie: session=abc123
{"email": "user@example.com", "password": "hunter2"}
# The client controls the method, path, headers, cookies, and body — ALL of it.
# "It's validated in the browser" is not a control; resend the request raw.Why: the core web-testing tool is an intercepting proxy (Burp Suite or OWASP ZAP) that sits between your browser and the app so you can read and modify every request before it is sent — this is how you probe inputs. When: route your lab traffic through the proxy to inspect and tamper with requests. Where: the same tool developers use to debug is what testers use to find flaws.
BROWSER ──► [ INTERCEPTING PROXY ] ──► WEB APP
(Burp Suite / OWASP ZAP)
read + modify every request
Workflow:
1. point the browser's proxy at 127.0.0.1:8080
2. browse the app; the proxy records every request
3. modify a parameter, replay it, observe the response
4. that "modify and replay" is the heart of web testing