# Server-Side Topics

- [API Testing](/web-security-academy-solutions/server-side-topics/api-testing.md)
- [Lab: Exploiting an API endpoint using documentation](/web-security-academy-solutions/server-side-topics/api-testing/lab-exploiting-an-api-endpoint-using-documentation.md)
- [Lab: Finding and exploiting an unused API endpoint](/web-security-academy-solutions/server-side-topics/api-testing/lab-finding-and-exploiting-an-unused-api-endpoint.md)
- [Lab: Exploiting a mass assignment vulnerability](/web-security-academy-solutions/server-side-topics/api-testing/lab-exploiting-a-mass-assignment-vulnerability.md)
- [Lab Exploiting server side parameter pollution in a query string](/web-security-academy-solutions/server-side-topics/api-testing/lab-exploiting-server-side-parameter-pollution-in-a-query-string.md)
- [Lab: Exploiting server side parameter pollution in a REST URL](/web-security-academy-solutions/server-side-topics/api-testing/lab-exploiting-server-side-parameter-pollution-in-a-rest-url.md)
- [NoSQL Injection](/web-security-academy-solutions/server-side-topics/nosql-injection.md): This section contains all walkthroughs of the topic NoSQL Injections.
- [Lab: Detecting NoSQL injection](/web-security-academy-solutions/server-side-topics/nosql-injection/lab-detecting-nosql-injection.md)
- [Lab: Exploiting NoSQL operator injection to bypass authentication](/web-security-academy-solutions/server-side-topics/nosql-injection/lab-exploiting-nosql-operator-injection-to-bypass-authentication.md)
- [Lab: Exploiting NoSQL injection to extract data](/web-security-academy-solutions/server-side-topics/nosql-injection/lab-exploiting-nosql-injection-to-extract-data.md)
- [Lab: Exploiting NoSQL operator injection to extract unknown fields](/web-security-academy-solutions/server-side-topics/nosql-injection/lab-exploiting-nosql-operator-injection-to-extract-unknown-fields.md)
- [Race Conditions](/web-security-academy-solutions/server-side-topics/race-conditions.md): This section contains all walkthroughs of the topic Race Conditions.
- [Lab: Limit overrun race conditions](/web-security-academy-solutions/server-side-topics/race-conditions/lab-limit-overrun-race-conditions.md)
- [Lab: Bypassing rate limits via race conditions](/web-security-academy-solutions/server-side-topics/race-conditions/lab-bypassing-rate-limits-via-race-conditions.md)
- [Lab: Multi endpoint race conditions](/web-security-academy-solutions/server-side-topics/race-conditions/lab-multi-endpoint-race-conditions.md)
- [Lab: Single endpoint race conditions](/web-security-academy-solutions/server-side-topics/race-conditions/lab-single-endpoint-race-conditions.md)
- [Lab: Partial construction race conditions](/web-security-academy-solutions/server-side-topics/race-conditions/lab-partial-construction-race-conditions.md)
- [Lab: Exploiting time sensitive vulnerabilities](/web-security-academy-solutions/server-side-topics/race-conditions/lab-exploiting-time-sensitive-vulnerabilities.md)
- [Web Cache Deception](/web-security-academy-solutions/server-side-topics/web-cache-deception.md)
- [Lab: Exploiting path mapping for web cache deception](/web-security-academy-solutions/server-side-topics/web-cache-deception/lab-exploiting-path-mapping-for-web-cache-deception.md)
- [Lab: Exploiting path delimiters for web cache deception](/web-security-academy-solutions/server-side-topics/web-cache-deception/lab-exploiting-path-delimiters-for-web-cache-deception.md)
- [Lab: Exploiting origin server normalization for web cache deception](/web-security-academy-solutions/server-side-topics/web-cache-deception/lab-exploiting-origin-server-normalization-for-web-cache-deception.md)
- [Lab: Exploiting cache server normalization for web cache deception](/web-security-academy-solutions/server-side-topics/web-cache-deception/lab-exploiting-cache-server-normalization-for-web-cache-deception.md)
- [Lab: Exploiting exact match cache rules for web cache deception](/web-security-academy-solutions/server-side-topics/web-cache-deception/lab-exploiting-exact-match-cache-rules-for-web-cache-deception.md)
- [XXE Injection](/web-security-academy-solutions/server-side-topics/xxe-injection.md)
- [Lab: Exploiting XXE using external entities to retrieve files](/web-security-academy-solutions/server-side-topics/xxe-injection/lab-exploiting-xxe-using-external-entities-to-retrieve-files.md)
- [Lab: Exploiting XXE to perform SSRF attacks](/web-security-academy-solutions/server-side-topics/xxe-injection/lab-exploiting-xxe-to-perform-ssrf-attacks.md)
- [Lab: Blind XXE with out of band interaction](/web-security-academy-solutions/server-side-topics/xxe-injection/lab-blind-xxe-with-out-of-band-interaction.md)
- [Lab: Blind XXE with out of band interaction via XML parameter entities](/web-security-academy-solutions/server-side-topics/xxe-injection/lab-blind-xxe-with-out-of-band-interaction-via-xml-parameter-entities.md)
- [Lab: Exploiting blind XXE to exfiltrate data using a malicious external DTD](/web-security-academy-solutions/server-side-topics/xxe-injection/lab-exploiting-blind-xxe-to-exfiltrate-data-using-a-malicious-external-dtd.md)
- [Lab: Exploiting blind XXE to retrieve data via error messages](/web-security-academy-solutions/server-side-topics/xxe-injection/lab-exploiting-blind-xxe-to-retrieve-data-via-error-messages.md)
- [Lab: Exploiting XInclude to retrieve files](/web-security-academy-solutions/server-side-topics/xxe-injection/lab-exploiting-xinclude-to-retrieve-files.md)
- [Lab: Exploiting XXE via image file upload](/web-security-academy-solutions/server-side-topics/xxe-injection/lab-exploiting-xxe-via-image-file-upload.md)
- [Lab: Exploiting XXE to retrieve data by repurposing a local DTD](/web-security-academy-solutions/server-side-topics/xxe-injection/lab-exploiting-xxe-to-retrieve-data-by-repurposing-a-local-dtd.md)