- Avoid implementing custom parsers as there are chances of ignoring attack vectors. So it is always better to use tested and secured parsers
- While using DOM based parser, validate the XML stream size against a maximum before parsing
- Defend against Denial of Service attacks by using SAX based parsing
- Validate input to find the presence of malicious characters to avoid XML injection attacks
- A thorough input validation needs to be performed before a request is sent to the database
- Differentiate input strings from executable commands by using parameterized stored procedures to access the database or use SQL parameters to build SQL commands
- It is always suggested to use less privileged accounts to access the database
- Replace all single quotes with two single quotes
- Error reports should not be displayed to the outsiders or else the same errors are used by attackers for further attacks / malicious purpose
- Database server and webserver should be isolated and located on different machines
04.Secure Coding Practices for Input Validation, EC-Council CASE JAVA
Cheng® 