Gathering information related to the web application like-
Ports and services running
Server and OS discovery
Scanners like Nikto, Nessus, URLscan, Acunetix can be used to find out vulnerabilities in a web application.
The next step is to know the entry points like login screens, URLs, cookies, and output points like display screens, reports, etc. We need to find vulnerabilities to bypass the access controls and break into the application. All the above discussed attacks should be tested for the possibility.
Always validate the input fields.
Limit the entry in the input fields.
Check for arbitrary inputs like scripts, SQL injection codes, etc.
Use a Web application firewall.
Run database accounts with minimal access rights.
Use input/output encoding.
Use prepared statements and parameterised sql queries to avoid Sql injection.
Configure the firewall with strict rules.
Use secure protocols.
Use random numbers for cookies and proper session expiry.