OWASP Top 10
A1: Injection
Solution
+Validate User Input
+Never concatenate queries and date
+Parameterized querying
+Never use Administrator to connect database
+Use LIMIT when possible to prevent mass lose
+Encrypt confidential and sensitive information
+Handles the exception properly
A2: Broken Authentication
Solution
+Multiple factor authentication
+Store password with modern one way hash function(Argon2, PBKDF2)
+Strong password policy and checking
+Well designed message for user registration, password forgot, login
+Log authentication failure
+Alert administrator when brute force detected
+NO Default Password
A3: Sensitive Date Exposure
What
+PCI DSS, yes
+PII(personal Identifiable Information), yes
+Password, yes
+Local privacy law and regulations
Solution
+Review local privacy law, regulation
+Classify data
+Don't store sensitive data unnecessarily
+Encrypt all sensitive data
+Enforce HTTP strict transport security if possible
+Disable caching for the response witch contain sensitive date
A5: Broken Access Control
Solution:
+DENY by default, with exception public resource
+Access control model should be shared throughout the application
+Log failure access, and alter administrator when appropriate
+Disable the list of web directory
+Control Access to API
Rest API: PUT, DELTE, POST, GET
A7: Cross-Site Scripting
Types
+ Reflected XSS
+Present/Stored XSS
+DOM XML
User Input:
+The URL
+HTTP referrer objects
+GET parameters from a from
+POST parameters from a form
+Window.location
+Document.referrer
+Document.location
+Document.URL
+Document.URLUnencoded
+Cookie data
+Headers data
+Database data
Solution
+Use safe framework
+Escaping untrusted HTTP request data
+Reference: DOM based XSS Prevention Cheat Sheet
Reference Link:
https://www.owasp.org
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
https://www.owasp.org/index.php/Injection_Prevention_Cheat_Sheet_in_Java
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet