Arquivo da tag: Injection Attack

Notes About HTTP and Servlets

Deixe uma resposta

Which of the following are correct statements regarding HTTP polling?
Since a client does not have direct access to any server-side state, the client may waste resources by polling the server for updates when there are none.
Dynamically adapting the polling interval is one approach to reducing unnecessary HTTP requests.
Polling can generate excess load on a server if the polling interval is too short.

 

Which of the following are true of Push Messaging?
If the state that needs to be pushed to a client is extremely sensitive, a "push to poll" model where the server sends a push notification and then the client polls for a state update is most appropriate
If the state that needs to be pushed to a client is extremely large (e.g., multiple megabytes), a "push to poll" model where the server sends a push notification and then the client polls for a state update is most appropriate
Push messaging relies on a persistent connection between a mobile device and a push messaging system's servers

 

Which of the following are true statements about Servlets?
A servlet has doXXXX methods for each type of request method that can be sent to the server

 

Which of the following is true about handling client input data in a servlet?
A servlet can access url encoded parameters placed in the body of a request sent by a client
A servlet can access URL query parameters sent by a client

 

Which of the following are true statements regarding request routing and servlets?
A web.xml file can be used to specify which requests should be routed to which servlets
Requests can be routed to different servlets based on the resource path specified in the request

 

Which of the following could lead to an injection attack?
Failing to verify that the type of data sent to the server is what was expected
Storing client-provided data without filtering it and then resending it to other clients
Allowing client-provided data to control an execution path involving sensitive data
Echoing executable client-provided data back to the client without filtering it

 

Which of the following are true statements regarding client-provided data?
None of the below are correct:

  • Careful filtering of client-provided data is not needed if only one type of client is expected to ever use a cloud service
  • Careful filtering of client-provided data is not needed if the same developer writes the mobile client and the cloud service
  • Because client-provided data is so hard to filter, a cloud service should never accept a body in an HTTP request
  • Client-provided data in URL query parameters is always safer than the same data provided in a URL encoded request body

 

Enjoy
Marcos de Carvalho Oliveira