JOBSEEKER?

A web application for ordering cat food charges users and places an order when an HTTP GET request is issued to the following URL:

http://www.catsupplies.com/order?brand=xxxxx&quantity=xxxxx

A malicious website could add snippets like this to their site:

<img src="http://www.catsupplies.com/order?brand=xxxxx&quantity=xxxxx">

What would help protect against such attacks, considering that the web application has the CORS policy that only allows requests from the same site? 

(Select all acceptable answers.)

Switch from HTTP GET to HTTP PUT and move the query parameters into the request body.
Add an additional "token" cookie, without the same site attribute, that is unique per user session and checks if it's correct when visiting the page.
Make HTTPS mandatory.
Make sure that the requests to that page contain a valid session identifier.
Add an additional "token" HTTP header that is unique per user session and checks if it's correct when visiting the page.
   

Tags
Web Application Security CSRF New Public
Easy

3min

Would you like to see our other questions?

We have 850+ premium hand-crafted questions for 50+ job skills and 15+ coding languages. We prefer questions with small samples of actual work over academic problems or brain teasers.

Visit our question library

Private Concierge

Send us an email with an explanation of your testing needs and a list of candidates. We will create an appropriate test, invite your candidates, review their results, and send you a detailed report.

Contact Private Concierge

Would you like to see our tests? The following tests contain Web Application Security related questions:
On the TestDome Blog

Screening Applicants: The Good, the Bad and the Ugly

Since we’re all biased and we use incorrect proxies, why not just outsource hiring to experts or recruitment agencies? After all, they’ve been screening people for many years, so they must know how to do it right?

Not really. I was surprised to discover that many experts disagree with each other. Everybody praises their pet method and criticizes the others. Many of these methods look legitimate, but are based on...

Dashboard Start Trial Sign In Home Tour Tests Questions Pricing For Jobseekers