# Web App Pentesting

- [SQL Injection](/web-app-pentesting/sql-injection.md)
- [NoSQL Injection](/web-app-pentesting/nosql-injection.md)
- [XSS](/web-app-pentesting/xss.md)
- [CSRF](/web-app-pentesting/csrf.md)
- [SSRF](/web-app-pentesting/ssrf.md)
- [XXE](/web-app-pentesting/xxe.md)
- [IDOR](/web-app-pentesting/idor.md)
- [SSTI](/web-app-pentesting/ssti.md)
- [Broken Access Control/Privilege Escalation](/web-app-pentesting/broken-access-control-privilege-escalation.md)
- [Open Redirect](/web-app-pentesting/open-redirect.md)
- [File Inclusion](/web-app-pentesting/file-inclusion.md)
- [File Upload](/web-app-pentesting/file-upload.md)
- [Insecure Deserialization](/web-app-pentesting/insecure-deserialization.md)
- [XMLDecoder](/web-app-pentesting/insecure-deserialization/xmldecoder.md): XMLDecoder Lab from PentesterLab or NullCon 2016 CTF
- [LDAP Injection](/web-app-pentesting/ldap-injection.md)
- [XPath Injection](/web-app-pentesting/xpath-injection.md)
- [JWT](/web-app-pentesting/jwt.md)
- [Parameter Pollution](/web-app-pentesting/parameter-pollution.md)
- [Prototype Pollution](/web-app-pentesting/prototype-pollution.md)
- [Race Conditions](/web-app-pentesting/race-conditions.md)
- [CRLF Injection](/web-app-pentesting/crlf-injection.md)
- [LaTeX Injection](/web-app-pentesting/latex-injection.md)
- [CORS Misconfiguration](/web-app-pentesting/cors-misconfiguration.md)
- [Handy Commands & Payloads](/web-app-pentesting/handy-commands-and-payloads.md): Commands and Payloads that I use the most to get the basics covered.