This section covers the server-side web vulnerabilities that most often escalate to serious impact: injection into templates, queries, and shells; parsers that betray trust; and request-boundary confusion. Each explainer names the technique, shows how it is detected and abused, and gives the control that closes it. For the client-side and access-control classes, see the Application Security section.
Topics
- What is Server-Side Template Injection (SSTI)?: user input evaluated as template code, usually reaching remote code execution.
- What is Insecure Deserialization?: rebuilding objects from hostile bytes, and the gadget chains that follow.
- What is XXE?: an XML parser that resolves external entities, becoming file read and server-side request forgery.
- What is OS Command Injection?: user input reaching a system shell, the most direct route to server control.
- What are File Upload Vulnerabilities?: from an uploaded file to a web shell and full compromise.
- What is HTTP Request Smuggling?: front-end and back-end disagreeing on request boundaries.
- What is LFI and RFI?: controlling which file an application includes, to read data or run code.
- What is NoSQL Injection?: operator injection that bypasses authentication and extracts data.
How to read this section
Every explainer follows the same shape: what the flaw is, how it is detected and abused with real payloads shown for defensive context, and how to close it. The payloads are here to help defenders recognize and reproduce the issue, not to weaponize it. If you want these tested against your own application with reproducible evidence and a developer-ready report, that is what web application penetration testing delivers.
References
- [1]OWASP Web Security Testing Guide(OWASP)
- [2]PortSwigger Web Security Academy(PortSwigger)