1. How can data be transmitted via the client in a way that prevents tampering attacks?
- Using a key stored on the server to encrypt data therefore the attackers are unable to encrypt
arbitrary data. But since data can be taken from one context and manipulated to another
context, sufficient context is needed within the protected data and can be confirmed it
originality within the context. For example, name of the item and pro
2. An application developer wants to stop an attacker from performing bruteforce attacks against
the login function. Because the attacker may target multiple usernames, the developer decides
to store the number of failed attempts in an encrypted cookie, blocking any request if the
number of failed attempts exceeds five. How can this defense be bypassed?
3. An application contains an administrative page that is subject to rigorous access controls. It
contains links to diagnostic functions located on a different web server. Access to these
functions should also be restricted to administrators only. Without implementing a second
authentication mechanism, which of the following client-side mechanisms (if any) could be used
to safely control access to the diagnostic functionality? Do you need any more information to
help choose a solution?
a. The diagnostic functions could check the HTTP Referred header to confirm that the
request originated on the main administrative page.
b. The diagnostic functions could validate the supplied cookies to confirm that these
contain a valid session token for the main application.
c. The main application could set an authentication token in a hidden field that is
included within the request. The diagnostic function could validate this to confirm that
the user has a session on the main application.
4. If a form field includes the attribute disabled=true, it is not submitted with the rest of the form.
How can you change this behavior?
5. Are there any means by which an application can ensure that a piece of input validation logic
has been run on the client passed?