Web Application Security · beginner · ~11 min
Use an intercepting proxy to read and modify your own requests, the core web-testing loop.
Web testing means sending unexpected requests and observing responses. An intercepting proxy (Burp/ZAP) lets you read and modify every request — bypassing the UI to change params, headers, cookies, and methods. curl/Postman/devtools/ffuf are companions.
Every web vulnerability class is a variation of "modify the request the app trusted." The intercept-modify-forward loop is the universal technique; mastering it is the prerequisite for finding any of the bugs in this track.
Intercepting proxy. Pause/read/edit requests (Burp, ZAP). Bypass the UI. The backend is reachable directly. The loop. Intercept → modify → forward → observe → repeat. Companions. curl, Postman, devtools, ffuf. Lab-only. Authorized targets / DVWA / Juice Shop.
Web testing is, at its heart, sending requests the application didn't expect and watching how it responds.
Tools like Burp Suite and OWASP ZAP sit between your browser and the site, letting you pause, read, and edit every request before it's sent. The workflow:
The frontend is just one way to talk to the backend. With a proxy you bypass the UI entirely — submit values the form forbade, change a hidden price field, swap an id, alter the HTTP method. Everything in this track is a pattern of doing exactly that.
Only ever test applications you own or are explicitly authorized to test. The labs here are conceptual; practice on intentionally-vulnerable apps like DVWA or OWASP Juice Shop, locally.
The core web-testing skill is intercepting and reshaping your own requests with a proxy, sidestepping the frontend to probe the backend directly. Every later technique is a specific application of this loop, used only within authorization.