APPLICATION PENETRATION TEST SUPER VEDA

Application Penetration Test for Super Veda- Sample Report -6 RECOMMENDATIONSImplementing the following recommendations will eliminate the abovementioned problems:6.1 AVOIDING SQL INJECTIONThe following recommendations refer to all pages that are susceptible toSQL Injection. This includes:• showproducts.asp• proddetails.asp• addcomments.asp• dosearch.asp• getstates.asp• login.aspThe best way to avoid SQL Injection is by using prepared statements,rather than using string queries. With a prepared statement, the syntax ofthe statement is first set, and only later the parameters are transferred,ensuring that there is no possible mix between the SQL syntax and theparameter (unlike string queries, that mix, during the creation of the string,the parameters and the syntax).In addition, it is recommended that sanity checks will be performed oneach received parameter before processing it. All ID parameters (such asCatID, ProdID, etc.), can be easily validated by verifying they contain onlydigits. Other parameters may have only specific values, or should containonly alphanumeric characters.ImpervaPage33 of73