Vulnerability Remediation Guide

Developer-focused remediation guidance with code examples in multiple languages. Fix vulnerabilities the right way, the first time.

Severity: Critical High Medium
Effort: ● Low ● Medium ● High
💉

Injection

CRITICAL

Injection

SQL, Command, LDAP injection prevention with parameterized queries.

OWASP: A03:2021
Effort: ● medium
Time: ⏱️ 2-4 hours
🔐

Authentication

CRITICAL

Authentication

Secure password storage, session management, MFA implementation.

OWASP: A07:2021
Effort: ● high
Time: ⏱️ 1-2 days

XSS

HIGH

XSS

Output encoding, CSP headers, DOM sanitization techniques.

OWASP: A03:2021
Effort: ● medium
Time: ⏱️ 2-4 hours
🛡️

Security Headers

MEDIUM

Security Headers

HSTS, CSP, X-Frame-Options, and other protective headers.

OWASP: A05:2021
Effort: ● low
Time: ⏱️ 30 min
🎭

CSRF

HIGH

CSRF

Anti-CSRF tokens, SameSite cookies, origin validation.

OWASP: A01:2021
Effort: ● low
Time: ⏱️ 1-2 hours
🌐

SSRF

CRITICAL

SSRF

URL allowlists, IP validation, cloud metadata protection.

OWASP: A10:2021
Effort: ● medium
Time: ⏱️ 2-4 hours
📁

File Upload

CRITICAL

File Upload

File type validation, safe storage, malware scanning.

OWASP: A04:2021
Effort: ● high
Time: ⏱️ 4-8 hours
🚪

Access Control

CRITICAL

Access Control

RBAC, ABAC, IDOR prevention, authorization patterns.

OWASP: A01:2021
Effort: ● high
Time: ⏱️ 1-3 days
📄

XXE

CRITICAL

XXE

XML External Entity prevention and secure parser configuration.

OWASP: A05:2021
Effort: ● low
Time: ⏱️ 30-60 min
🔄

Deserialization

CRITICAL

Deserialization

Insecure deserialization prevention with safe alternatives.

OWASP: A08:2021
Effort: ● high
Time: ⏱️ 4-8 hours
📂

Path Traversal

HIGH

Path Traversal

Directory traversal prevention with path validation.

OWASP: A01:2021
Effort: ● medium
Time: ⏱️ 2-4 hours
↪️

Open Redirect

MEDIUM

Open Redirect

URL validation and allowlists to prevent phishing.

OWASP: A01:2021
Effort: ● low
Time: ⏱️ 1-2 hours
🏁

Race Conditions

HIGH

Race Conditions

TOCTOU prevention, atomic operations, locking strategies.

OWASP: A04:2021
Effort: ● high
Time: ⏱️ 4-8 hours
🧠

Memory Safety

CRITICAL

Memory Safety

Buffer overflows, use-after-free, safe coding practices.

OWASP: A06:2021
Effort: ● high
Time: ⏱️ 6-12 hours
🔐

Cryptography

CRITICAL

Cryptography

Modern algorithms, key management, secure RNG, TLS 1.2+.

OWASP: A02:2021
Effort: ● medium
Time: ⏱️ 4-8 hours
📊

Logging & Monitoring

MEDIUM

Logging & Monitoring

Log injection prevention, sensitive data redaction, SIEM.

OWASP: A09:2021
Effort: ● low
Time: ⏱️ 2-4 hours

Quick Start for Developers

Each guide includes:

  • Vulnerable code examples - What NOT to do
  • Secure implementations - Copy-paste ready fixes
  • Multiple languages - Python, JavaScript, Java, C#, PHP, Go
  • Testing commands - Verify your fix works
  • Common mistakes - Avoid incomplete fixes

📋 Quick Reference Table

Vulnerability Severity OWASP CWE Primary Fix Secondary Controls
SQL Injection CRITICAL A03 89 Parameterized queries Input validation, WAF, least privilege DB
Command Injection CRITICAL A03 78 Avoid shell, use APIs Input validation, sandboxing
XSS HIGH A03 79 Output encoding CSP headers, input validation
CSRF HIGH A01 352 CSRF tokens SameSite cookies, origin validation
SSRF CRITICAL A10 918 Allowlist hosts Disable redirects, validate responses
File Upload CRITICAL A04 434 Validate content Rename files, separate domain, AV scan
Access Control CRITICAL A01 284 Authorization checks RBAC/ABAC, audit logging
XXE CRITICAL A05 611 Disable external entities Use JSON, less complex parsers
Deserialization CRITICAL A08 502 Use safe formats (JSON) Type allowlists, integrity checks
Path Traversal HIGH A01 22 Canonicalize paths Allowlist files, chroot
Open Redirect MEDIUM A01 601 Allowlist domains Indirect references, relative paths
Weak Auth CRITICAL A07 287 Strong hash (bcrypt) MFA, breach checks, rate limiting
Race Conditions HIGH A04 362 Atomic operations Locking, transactions, state machines
Memory Safety CRITICAL A06 119 Use safe languages Bounds checking, smart pointers, sanitizers
Weak Crypto CRITICAL A02 327 Modern algorithms Key management, secure RNG, TLS 1.2+
Log Injection MEDIUM A09 117 Sanitize inputs Structured logging, redact sensitive data

One-Liner Cheatsheet

SQLi: Use prepared statements with bound parameters
XSS: Encode output based on context (HTML/JS/URL)
CSRF: Token per session + SameSite=Strict cookies
SSRF: Allowlist domains + block private IPs (10.x, 169.254.x)
XXE: Disable DTDs and external entities in parser
Deser: Never deserialize untrusted data, use JSON
Path: Canonicalize path + verify within allowed directory
Redirect: Parse URL, validate host against allowlist
Auth: bcrypt(12+) + MFA + rate limiting + breach check
Upload: Content validation + random name + isolated storage

Essential Security Headers

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()

Related Topics

Web Pentesting

Learn to find vulnerabilities before you fix them.

Reporting Templates

Document findings with remediation recommendations.

API Pentesting

Secure API authentication and authorization.

Cheatsheets

Quick reference for security testing.