Learn

Web exploitation, explained by the pentesters who do it.

The server-side flaws that turn a web input into file read, data theft, and remote code execution. Plain explainers with the real technique names, the payloads testers use, and the fix that actually closes each one.

TL;DR

This section covers the server-side web vulnerabilities that most often escalate to serious impact: injection into templates, queries, and shells; parsers that betray trust; and request-boundary confusion. Each explainer names the technique, shows how it is detected and abused, and gives the control that closes it. For the client-side and access-control classes, see the Application Security section.

By Pranav Khune, Lead Pentester, SecureLayer7Updated

Topics

How to read this section

Every explainer follows the same shape: what the flaw is, how it is detected and abused with real payloads shown for defensive context, and how to close it. The payloads are here to help defenders recognize and reproduce the issue, not to weaponize it. If you want these tested against your own application with reproducible evidence and a developer-ready report, that is what web application penetration testing delivers.

References

  1. [1]OWASP Web Security Testing Guide(OWASP)
  2. [2]PortSwigger Web Security Academy(PortSwigger)
Related terms

Test your application

Have these tested against your real application.

Our testers manually prove which of these reach impact in your environment, with reproducible evidence and a developer-ready report.

See web application penetration testing30-min scoping call, fixed-price proposal in 48 hours.