> For the complete documentation index, see [llms.txt](https://playbook.sidthoviti.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://playbook.sidthoviti.com/web-app-pentesting.md).

# Web App Pentesting

- [SQL Injection](https://playbook.sidthoviti.com/web-app-pentesting/sql-injection.md)
- [NoSQL Injection](https://playbook.sidthoviti.com/web-app-pentesting/nosql-injection.md)
- [XSS](https://playbook.sidthoviti.com/web-app-pentesting/xss.md)
- [CSRF](https://playbook.sidthoviti.com/web-app-pentesting/csrf.md)
- [SSRF](https://playbook.sidthoviti.com/web-app-pentesting/ssrf.md)
- [XXE](https://playbook.sidthoviti.com/web-app-pentesting/xxe.md)
- [IDOR](https://playbook.sidthoviti.com/web-app-pentesting/idor.md)
- [SSTI](https://playbook.sidthoviti.com/web-app-pentesting/ssti.md)
- [Broken Access Control/Privilege Escalation](https://playbook.sidthoviti.com/web-app-pentesting/broken-access-control-privilege-escalation.md)
- [Open Redirect](https://playbook.sidthoviti.com/web-app-pentesting/open-redirect.md)
- [File Inclusion](https://playbook.sidthoviti.com/web-app-pentesting/file-inclusion.md)
- [File Upload](https://playbook.sidthoviti.com/web-app-pentesting/file-upload.md)
- [Insecure Deserialization](https://playbook.sidthoviti.com/web-app-pentesting/insecure-deserialization.md)
- [XMLDecoder](https://playbook.sidthoviti.com/web-app-pentesting/insecure-deserialization/xmldecoder.md): XMLDecoder Lab from PentesterLab or NullCon 2016 CTF
- [LDAP Injection](https://playbook.sidthoviti.com/web-app-pentesting/ldap-injection.md)
- [XPath Injection](https://playbook.sidthoviti.com/web-app-pentesting/xpath-injection.md)
- [JWT](https://playbook.sidthoviti.com/web-app-pentesting/jwt.md)
- [Parameter Pollution](https://playbook.sidthoviti.com/web-app-pentesting/parameter-pollution.md)
- [Prototype Pollution](https://playbook.sidthoviti.com/web-app-pentesting/prototype-pollution.md)
- [Race Conditions](https://playbook.sidthoviti.com/web-app-pentesting/race-conditions.md)
- [CRLF Injection](https://playbook.sidthoviti.com/web-app-pentesting/crlf-injection.md)
- [LaTeX Injection](https://playbook.sidthoviti.com/web-app-pentesting/latex-injection.md)
- [CORS Misconfiguration](https://playbook.sidthoviti.com/web-app-pentesting/cors-misconfiguration.md)
- [Handy Commands & Payloads](https://playbook.sidthoviti.com/web-app-pentesting/handy-commands-and-payloads.md): Commands and Payloads that I use the most to get the basics covered.
