Web application vulnerable and prevention

SQL Injection :

SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database.

Any business affected by an SQL Injection would need to take steps quickly to rectify the issue. The loss of personal data, financial information and other aspects can cause a great deal to harm a company’s reputation. That is why it’s crucial to be forewarned and protected against such threats before they occur.

To Avoid SQL Injection:

SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL. Website Development India

Using PDO and MySQLi

1) Parametrized queries using bound, typed parameters.
2) Careful use of parametrized stored procedures.

Broken Authentication & Session Management

Broken Authentication and Session Management attacks are anonymous attacks generated to try and retrieve passwords, user IDs, account details and other information.

OWASP lists seven reasons an application may be vulnerable:

User authentication credentials aren’t protected when stored using hashing or encryption.
Credentials can be guessed or overwritten through weak account management functions.
Session IDs are exposed in the URL.
Session IDs are vulnerable to session fixation attacks.
Session IDs don’t timeout, or user sessions or authentication tokens, particularly single sign-on tokens, aren’t properly invalidated during logout.
Session IDs aren’t rotated after successful login.
Passwords, session IDs and other credentials are sent over unencrypted connections.

To prevent  Broken Authentication & Session Management

To prevent these types of vulnerabilities from occurring in your application, developers should first ensure that SSL is used for all authenticated parts of the application. In addition, verify that all credentials are stored in a hashed form.

1) Avoid cookiesless session
2) Look into IP Checking
3) Use SSl
4) Expire session early and often
5) Double- check passwords on certain activities

XSS (Cross Site Scripting)

XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

When information is sent to web service providers such as banks or online stores, webmasters, or website owners, an attacker can interrupt the transfer process and extract this valuable information. This can all be done seamlessly without either the website owner/provider or the client having knowledge of the attack.

Data loss, misleading content and other issues cause massive amounts of damage to a company’s reputation and can severely stain the brand if left untreated.

To prevent  XSS (Cross Site Scripting)

Data Validation
Data Sanitization
Output Escaping

  • Never pass data from untrusted origins into output without either escaping or sanitising it.
  • Never forget to validate data arriving from an untrusted origin using relevant rules for the context it’s used in.
  • Remember that anything not explicitly defined in source code has an untrusted origin.
  • Remember that htmlentities() is incompatible with XML, including HTML5′s XML serialisation – use htmlspecialchars().
  • Always include ENT_QUOTES, ENT_SUBSTITUTE and a valid character encoding when calling htmlspecialchars().
  • Never use htmlspecialchars() as the primary means of escaping Javascript, CSS or URL parts.
  • Never use json_encode() to escape Javascript strings unless using PHP 5.3 and RTFM.
  • Use rawurlencode() to escape strings being inserted into URLs and then HTML escape the entire URL.
  • Never ever pass escaped or sanitised data from untrusted origins into a Javascript execution context: a string later executed as Javascript.
  • Validate all complete URLs if constructed from untrusted data.
  • Never validate URLs using filter_var(). It doesn’t work and allows Javascript and Data URIs through.
  • Never include resources loaded over unsecured HTTP on a page loaded over HTTPS.
  • Sanitise raw HTML from untrusted origins using HTMLPurifier before injecting it into ouput.
  • Sanitise the output of Markdown, BBCode and other HTML replacements using HTMLPurifier before injecting it into output.
  • Remember that HTMLPurifier is the only HTML sanitiser worth using.
  • Adopt the Content Security Policy (CSP) header and abandon the use of inline CSS and Javascript where feasible.
  • Always transmit, with content, a valid Content-Type header referencing a valid character encoding.
  • Ensure that cookies for use solely by the server are marked HttpOnly.
  • Ensure that cookies which must only be transmitted over HTTPS are marked Secure.
  • Always review dependencies and other third party code for potential XSS vulnerabilities and vectors.


To know more about our web and mobile development service visit http://evincetech.com.
For more information, please contact us with the specifications for your project. You can email our sales team at info@evincetech.com, also you can call us at following numbers.
India: (+91) 44 42170775, (+91) 91766 40375
USA [Toll Free]: 866 220 6565