Chapter 6 DXp SeCurity Table 6-1. (continued) Category Main Vulnerabilities Best Practices Data validation • injection attacks • perform client-side and server-side validation (related to SQL, LDap, • encode and sanitize end user data. OS, Xpath, http • Validate against blacklist and reject/remove all header) special characters. • Cross-site scripting • use parameterized queries or prepared statements (XSS) or OrM frameworks for database query execution. • executable file uploads • Block any scripts calling OS commands and prevent upload of any executables. • use XSS filters to allow only safe commands and sanitize inputs. authentication • Brute force attack • usage of CaptCha • Weak password policy • enforcing strict password policies • CSrF • use CSrF tokens with web requests. you could use referrer validation or custom http header (such as X-requested-by) to avoid CSrF attacks. • use multifactor authentication (MFa) for secure operations. • Disable autocomplete for form fields storing sensitive information (such as user names, passwords, email iDs, etc.) authorization • absence of sufficient • Define role-based access and permission model. authorization and • Validate user details before sensitive operations permission model such as password update. • insecure user • use “deny by default” and “least privilege” policy. impersonation • implement fine-grained access control to resources such as pages and functionality. (continued) 191