A canopy of apple-blossom¶
Beneath the deceptively tranquil canopy of web applications, a thriving ecosystem buzzes with activity—each bloom (endpoint) offering nectar (data) to legitimate pollinators (users), while hiding rot (vulnerabilities) in its petals. Like aphids draining sap, we probe for XSS holes in the fragrant blossoms, SQLi larvae burrowing into the fruit, and CSRF mites weaving invisible threads between branches. The orchard keepers (developers) often mistake beauty for health, not seeing how their prized blossoms drip with vulnerable pollen (insecure APIs) or how their sturdiest boughs (auth systems) crack under the slightest pressure.
This is the IN phase’s sweetest hunt: where low-hanging fruit (default creds) weighs down every other branch, where poisoned pollen (malicious inputs) spreads through interconnected flowers (microservices), and where the hungriest caterpillars (injection attacks) can spin entire webs (shell access) from a single nibbled leaf (parameter).
From PortSwigger’s lab-choked groves to Root-me’s thorny challenge vines, we document which blooms surrender their nectar too easily—and which ones hide wasp nests (RCE) beneath their petals. Portswigger Academy is the gardening class; Root-me is the wilderness survival trial—both end with you owning the orchard.
Every beautiful web app has at least one worm in its fruit:
- Field notes from the fragrant branches of web app exploitation
- Cross-site scripting (XSS)
- Open redirection
- Clickjacking
- Cross-site request forgery (CSRF)
- Insecure direct object references (IDOR)
- SQL injection
- Race conditions
- Server-side request forgery (SSRF)
- Insecure deserialisation
- XML external entity (XXE) injection
- Web cache poisoning
- HTTP Request smuggling
- Template injection (SSTI)
- Directory traversal
- Authentication vulnerabilities
- Single-sign-on security (SSO)
- Broken access control
- Application logic errors
- HTTP Host header attacks
- Websocket vulnerabilities
- Remote code execution (RCE)
- Same-origin policy (SOP)
- Information disclosure
- File uploads
- JSON web tokens attacks
- Prototype pollution
- Portswigger Academy labs: Controlled burn
- Cross Site Scripting (XSS)
- SQL injection (SQLi)
- Cross-site request forgery (CSRF)
- Clickjacking
- DOM-based vulnerabilities
- Cross-origin resource sharing (CORS) misconfigurations
- XML external entity attacks (XXEs)
- Server-side request forgery (SSRF)
- HTTP request smuggling
- OS command injection alias shell injection
- Server-side template injection (SSTI)
- Directory traversal (also known as file path traversal)
- Access control vulnerabilities
- Authentication vulnerabilities
- WebSocket vulnerabilities
- Web cache poisoning
- Insecure deserialisation
- Information disclosure
- Business logic vulnerabilities
- HTTP Host header attacks
- OAuth authentication vulnerabilities
- File upload vulnerabilities
- JSON web tokens (JWT) vulnerabilities
- Prototype pollution
- Root-me: Orchard foraging
- Petals and pentesting priorities