Hackers routinely exploit web applications, especially as more services move to the cloud, despite the fact companies can easily fix most vulnerabilities within web applications before releasing their code to the wild. The “Web Application Exploitation” course teaches students about the most common web vulnerabilities (OWASP Top 10) in modern web applications, why they often exist, and several methods to test for their existence. Each module has video lecture content introducing exploitation concepts to explain why the vulnerabilities exist, and how hackers exploit them. Each module also includes an immersive hands-on lab component, in which the student has the chance to exploit each vulnerability, using the vulnerable Mutillidae framework. Finally, the course encourages students to engage in a dynamic “capstone lab” designed to test the students’ ability to exploit a novel web application leveraging vulnerabilities identified in the OWASP Top 10.