Item=1' UNION SELECT 1,2,name FROM master..sysobjects WHERE xtype='U
Item=1 or 1=1
User=1 UNION SELECT 1,2,name FROM master..sysdatabases
User=1 or 1=1--
User=1; WAITFOR DELAY '0:0:5';--
… obtain any data from the web application’s database.
… delete or modify arbitrary data in the web application’s database.
… read files from the database server.
… run arbitrary code on the database server.
… run arbitrary code on the web server.
… blacklisting strings such as "1 OR 1=1" and "UNION" from input.
… using an intrusion detection system to detect attacks.
… whitelisting input (e.g. only allowing alphanumerical characters and spaces).
… use of prepared statements or parametrized queries.
… segmenting database accounts and minimizing their user rights.
The attacker may be able to run arbitrary code on the user's machine.
The attacker can exploit a XSS vulnerability in order to impersonate a user.
Reflected XSS vulnerabilities can only be triggered if the user performs a certain action.
The user cannot do anything to protect himself against reflected XSS on a page that he normally trusts.
An XSS payload may use AJAX requests to persistently infect multiple pages on the host.
Converting HTML control characters such as < to HTML entities such as <.
Only allowing certain 'safe' tags for formatting, such as <b>, <i>, <p>, <br>.
Using special tags (such as [url=...]) and converting them to HTML
Using a HTML filter library to remove potential XSS code from output.
It is a good solution to explicitly change the extension of uploaded files to match their (expected) content, and check their validity by attempting to open them with the appropriate function.
If uploaded content is filtered by extension (.aspx, .jsp, .inc, .php), it prevents the attacker from uploading executable scripts to the server.
It is possible to effectively filter dangerous content by checking the MIME type of uploaded files.
Since there are numerous CAPTCHA solver tools and human-powered online CAPTCHA solver services available, using a CAPTCHA to deter spam will have no effect.
To prevent spam, it is a good idea to select a CAPTCHA that requires solving a complex mathematical / geometry problem.
In HTML5, AJAX calls can read from other domains without restrictions.
Thanks to the new possibilities of HTML5, an attacker can steal data from an iframe through ClickJacking.
If a page does not use the new features introduced by HTML5, it is a good way to protect against the new security risks introduced by those features.
HTML5 makes it easier to protect against XSS.
Local Storage cannot be directly manipulated by XSS.
… modify other currently running scripts.
… simulate user clicks in the browser.
… run arbitrary native code on the user’s machine.
… modify user session data.
… add the Access-Control-Allow-Origin header to only allow cross-origin requests from the site that is supposed to perform the AJAX requests.
… use POST XmlHttpRequests instead of GET
… use referrer checks to only send responses to XmlHttpRequests to the site that is supposed to perform the AJAX requests.
… send your XmlHttpRequest data in JSON format instead of XML.