2: Basic Tests and Techniques
Do not cache private data at all, add the relevant HTTP
header directives in the HTTP response for all these pages.
Try and store limited information on the client side; if you
have to do so, obfuscate the information in such a way that
only the application can read and understand the same.
Encrypt all such information wherever you can. Set strict
permissions and access control on all folders that the
application reads or writes to.
Over-reliance on client-side validation
for validating inputs earlier. It becomes a problem when
revalidate the input on the server.
Consider there’s a login page to an application. The
authentication logic is a file called auth.js which runs on the
such a way that the user’s password isn’t checked at all
each time the user attempts to login to the application. This
means that if they know the username of the application
administrator they would be in a position to login as that
While we test applications, we make it a point to go
application to see if it controls any part of the application