Attacks + Validation

If the application allows redirection to any URL,

this creates a situation known as an unvalidated redirect, which an attacker may use to redirect the user to a malicious site

Developers seeking to include redirection options in their application should perform

validated redirects that check redirection URLs against an approved list.

Reflected XSS

attacks commonly occur when an application allows reflected input. The key to this attack is that it’s possible to embed form input in a link

Stored XSS

stores cross-site scripting code on a remote web server. These attacks are described as persistent because they remain on the server even when the attacker isn’t actively waging an attack

In a parameterized query,

the client does not directly send SQL code to the database server. Instead, the client sends arguments to the server, which then inserts those arguments into a precompiled query template. This approach protects against injection attacks and also improves database performance. Stored procedures are an example of an implementation of parameterized queries used by some database platforms