Multiple choice general knowledge science & technology

A site simply doesn’t use SSL for all pages that require authentication. and observes an authenticated victim’s session cookie. Attacker then replays this cookie and takes over the user’s session. To prevent this kind of attacks, which of the following can be an effective methodogy:

  1. Require SSL for all sensitive pages. Non-SSL requests to these pages should be redirected to the SSL page

  2. A strong application architecture that provides good separation and security between components

  3. Use of Whitelist or Parameterized API

  4. All of the Above

Reveal answer Fill a bubble to check yourself
A Correct answer
Explanation

Not using SSL for authenticated pages allows attackers on the network to intercept session cookies (sniffing). Requiring SSL for all sensitive pages encrypts traffic, preventing cookie theft. The scenario describes Insufficient Transport Layer Protection. Requiring SSL and redirecting non-SSL requests is the correct defense.