Web Recon & Intercepting Proxies

Web Recon & Intercepting Proxies

Learn web reconnaissance and HTTP interception, the skill set that lets you move from a URL to a meaningful map of the application behind it. Modern web targets often expose hidden directories, undocumented parameters, virtual hosts, and APIs that are not visible from the main interface. This course teaches you how to discover those surfaces, inspect raw HTTP behavior, and interact with web applications more deliberately from the command line.

Why It Matters

Many serious web findings begin with reconnaissance rather than exploitation. If you cannot identify hidden endpoints, unusual parameters, or API behavior, you will miss the attack surface entirely. That makes disciplined web recon a core skill for both security testing and defensive validation.

This course focuses on how web applications actually communicate. You will fuzz for hidden content, inspect and modify requests, interact with APIs, and build a clearer picture of how a target web environment is structured before deeper exploitation begins.

What You Will Learn

• Discover hidden directories, files, parameters, and virtual hosts with web fuzzing tools.
• Inspect and modify raw HTTP requests and responses using command-line workflows.
• Interact with APIs using multiple HTTP methods and structured JSON output.
• Identify web surfaces that are not visible through the browser alone.
• Build a more complete map of a target application's exposed infrastructure.

Course Roadmap

• Directory and File Fuzzing: Use ffuf and gobuster to identify hidden paths and files.
• Extended Web Fuzzing (Parameters & Vhosts): Expand discovery into undocumented parameters and hidden virtual hosts.
• HTTP Interception Basics: Craft, modify, and analyze HTTP traffic by hand with tools like curl.
• API Interaction and Analysis: Explore REST-style APIs, authentication flows, and JSON-based responses.
• Web Infrastructure Mapping Challenge: Apply recon and interception skills to uncover a hidden web surface and extract a sensitive token.

Who This Course Is For

• Learners entering the web security phase of the path.
• Penetration testers who want stronger enumeration discipline.
• Defenders validating what their web applications and APIs expose externally.

Outcomes

By the end of this course, you will be able to enumerate hidden web assets, analyze HTTP behavior more precisely, and prepare a stronger foundation for testing authentication, authorization, and injection flaws.