# Web & API Penetration Testing

- [PortSwigger](/notes/labs/web-and-api-penetration-testing/portswigger.md)
- [Notes](/notes/labs/web-and-api-penetration-testing/portswigger/notes.md): PortSwigger Labs Notes & Walkthrough
- [API Testing](/notes/labs/web-and-api-penetration-testing/portswigger/api-testing.md)
- [1. Exploiting an API endpoint using documentation](/notes/labs/web-and-api-penetration-testing/portswigger/api-testing/1.-exploiting-an-api-endpoint-using-documentation.md)
- [2. Exploiting server-side parameter pollution in a query string](/notes/labs/web-and-api-penetration-testing/portswigger/api-testing/2.-exploiting-server-side-parameter-pollution-in-a-query-string.md)
- [3. Finding and exploiting an unused API endpoint](/notes/labs/web-and-api-penetration-testing/portswigger/api-testing/3.-finding-and-exploiting-an-unused-api-endpoint.md)
- [4. Exploiting a mass assignment vulnerability](/notes/labs/web-and-api-penetration-testing/portswigger/api-testing/4.-exploiting-a-mass-assignment-vulnerability.md)
- [5. Exploiting server-side parameter pollution in a REST URL](/notes/labs/web-and-api-penetration-testing/portswigger/api-testing/5.-exploiting-server-side-parameter-pollution-in-a-rest-url.md)
- [Command Injection](/notes/labs/web-and-api-penetration-testing/portswigger/command-injection.md)
- [1. OS command injection, simple case](/notes/labs/web-and-api-penetration-testing/portswigger/command-injection/1.-os-command-injection-simple-case.md)
- [2. Blind OS command injection with time delays](/notes/labs/web-and-api-penetration-testing/portswigger/command-injection/2.-blind-os-command-injection-with-time-delays.md)
- [3. Blind OS command injection with output redirection](/notes/labs/web-and-api-penetration-testing/portswigger/command-injection/3.-blind-os-command-injection-with-output-redirection.md)