OWASP Top 10 – XSS

  • Sending untrusted data to system
  • sending text based attack scripts to exploit interpreter in browser


  • session hijacking
  • defacement
  • insert hostile content
  • redirect user


  • escape all untrusted data
  • whitelisting
  • input validation
  • server-side validation
  • For rich content – auto sanitation library ex. OWASP Anti-SAMY

OWASP Top 10 – XML External Entities (XXE)

This causes

  • Data extraction
  • Remote  code execution
  • Scan internal systems
  • Perform Denial of Service.

Your application is vulnerable if it uses SAML for identity processing and your XML Processor parses

  • Untrusted XML Acceptance
  • Untrusted XML Uploads
  • Inserting untrusted data in XML


  • sanitize input
  • SOAP 1.2
  • Patch and upgrade XML  processor

DISABLE XML External Entity and DTD Processing in all XML Parsers in applications.

OWASP Top 10 – Sensitive Data Exposure

Data Security at Rest, In Transit and In Client Browser.


  • Encryption – Key Rotation, Storage, Split Knowledge
  • Data Masking
  • No hard-coded credentials
  • Disable Page caching (This comes in handy in case of permission changes)
  • Re-verification of identity, object.
  • no plain text data exchange
  • no weak algorithms
  • Discard sensitive data (from session/memory/cache etc.) ASAP.
  • Preferably encrypt data even when it is in memory (performance overhead).

OWASP Top 10 – Broken Authentication

  • Dictionary attack
  • leaked credentials
  • attacker gains access then causes identity theft, frauds, money, card, data frauds.


  1. Confirm users identity and session management
  2. implement multi-factor authentication.
  3. no default credentials ( or credential standards)
  4. Implement weak password checks
  5. length, complexity, history check,
  6. limit failed logins
  7. log every activity regardless of success or failure


Probably implement something using https://haveibeenpwned.com/

OWASP Top 10 – Injection

Occurs when untrusted data is sent to an interpreter as a part of command.


  1. Handle Error Messages, errors gracefully. Return custom error page do not reveal DB details/query.
  2. Sanitize inputs
  3. Escape characters (ex. whitelisting)
  4. SELECT, UNION, INSERT, filternation
  5. Parameter typecasting
  6. Add Query Building layer. Keep untrusted data separate from queries.

Or in other words

Level One = Parameter, datatype, length check

Level Two = Number of parameters sent to query.

Level Three = Don’t show query and other errors on production