# Common vulns

- [SQL injection overview](/appsecexplained/common-vulns/sql-injection-overview.md)
- [Detection](/appsecexplained/common-vulns/sql-injection-overview/detection.md)
- [Blind SQLi](/appsecexplained/common-vulns/sql-injection-overview/blind-sqli.md)
- [Second-order SQLi](/appsecexplained/common-vulns/sql-injection-overview/second-order-sqli.md)
- [SQLi lab setup & writeups](/appsecexplained/common-vulns/sql-injection-overview/sqli-lab-setup-and-writeups.md)
- [NoSQL injection](/appsecexplained/common-vulns/nosql-injection.md)
- [JavaScript injection (XSS)](/appsecexplained/common-vulns/javascript-injection-xss.md)
- [XSS Methodology](/appsecexplained/common-vulns/javascript-injection-xss/xss-methodology.md)
- [File Inclusion](/appsecexplained/common-vulns/file-inclusion.md)
- [Local file inclusion](/appsecexplained/common-vulns/file-inclusion/local-file-inclusion.md)
- [Directory traversal](/appsecexplained/common-vulns/file-inclusion/local-file-inclusion/directory-traversal.md)
- [Command injection](/appsecexplained/common-vulns/command-injection.md)
- [XXE (XML external entity) injection](/appsecexplained/common-vulns/xxe-xml-external-entity-injection.md)
- [Blind XXE](/appsecexplained/common-vulns/xxe-xml-external-entity-injection/blind-xxe.md)
- [Template injection](/appsecexplained/common-vulns/template-injection.md)
- [Server-side template injection](/appsecexplained/common-vulns/template-injection/server-side-template-injection.md)
- [Client-side template injection](/appsecexplained/common-vulns/template-injection/client-side-template-injection.md)
- [Authentication](/appsecexplained/common-vulns/authentication.md)
- [Attacking password-based authentication](/appsecexplained/common-vulns/authentication/attacking-password-based-authentication.md)
- [Attacking MFA](/appsecexplained/common-vulns/authentication/attacking-mfa.md)
- [Authentication lab setup & writeups](/appsecexplained/common-vulns/authentication/authentication-lab-setup-and-writeups.md)
- [Cross-Site Request Forgery (CSRF)](/appsecexplained/common-vulns/cross-site-request-forgery-csrf.md)
- [Insecure deserialization](/appsecexplained/common-vulns/insecure-deserialization.md)
- [PHP](/appsecexplained/common-vulns/insecure-deserialization/php.md)
- [Java](/appsecexplained/common-vulns/insecure-deserialization/java.md)
- [Python](/appsecexplained/common-vulns/insecure-deserialization/python.md)
- [.NET](/appsecexplained/common-vulns/insecure-deserialization/.net.md)
- [Server-side request forgery (SSRF)](/appsecexplained/common-vulns/server-side-request-forgery-ssrf.md)
- [Insecure file upload](/appsecexplained/common-vulns/insecure-file-upload.md)
- [Clickjacking](/appsecexplained/common-vulns/clickjacking.md)
- [Open redirect](/appsecexplained/common-vulns/open-redirect.md)
- [Vulnerable components](/appsecexplained/common-vulns/vulnerable-components.md)
- [Race conditions](/appsecexplained/common-vulns/race-conditions.md)
- [Limit overrun](/appsecexplained/common-vulns/race-conditions/limit-overrun.md)
- [Prototype pollution](/appsecexplained/common-vulns/prototype-pollution.md)
- [Client-side prototype pollution](/appsecexplained/common-vulns/prototype-pollution/client-side-prototype-pollution.md)
- [APIs](/appsecexplained/common-vulns/apis.md)
- [API: BOLA](/appsecexplained/common-vulns/apis/api-bola.md)
- [API: Broken authentication](/appsecexplained/common-vulns/apis/api-broken-authentication.md)
- [BOPLA](/appsecexplained/common-vulns/apis/bopla.md)
- [API: BFLA](/appsecexplained/common-vulns/apis/api-bfla.md)