This is the TOP vulnerabilities topics listed in the OWASP
select * from Usuarios where email='"+ email + "'and senha='"+ senha + " ' ";
INJECTION
'or 1=1#
select * from Usuarios whre email=''or 1=1#'and senha='32425435453'PREVENTION
- Sanitization API
When the website allow weak passwords
-
Bruteforce Wordlist (with common passwords)
-
Credential stuffing (exposed databases)
-
Exposed cookies / ids in the URL
-
If the website permits bruteforce tentatives or weak passwords
-
If the recovery methods is weak (knowledge-based aswers)
-
If the website not encrypt the passwords (bcrypt)
-
If the administrator panel has default passwords
- Not allow weak passwords ex: "password"
- Password Captcha
- Multi factor authentication
- Limit login tentatives
- Disable default administrative passwords
- Password validation (NIST 800-63 Memorized Secrets)
- NOT SEND PASSWORDS IN THE URL
- HTTPs in login / credential forms (main in the middle attacks)
- If the website not block directory paths