[bostik]

The cardinal rule of security is: you never, ever, trust anything the client sends.

This bypass is a perfect example. Although author doesn't mention which interception proxy he used, I'm 99% sure it was Burp. Replaying modified content is trivial.

[gant]

Even with a free software tool like mitmproxy modifying requests is trivial. You don't even need Burp.

[Vendan]

the free version of burp is completely capable of doing this, and so much more

[closeparen]

>you never, ever, trust anything the client sends.

The author likely wrote code that correctly validates "for all security questions a correct answer is given" and just forgot about the part where "for-all propositions are trivially true of the empty set."

It's easy to read a for loop for what it's intended as - a loop - and not think about "what if we never enter it at all?"

[geocar]

If we think well, we need to have loops, we might be feeling despair right now, however array languages don't need loops! I can write:

    min test each args

and I can do the same in JavaScript, it's just uglier:

    args.map(test).reduce(function(x,y){return Math.min(x,y)})

Writing in a functional style makes this kind of programming slightly less onerous, but it still feels strange in languages that are a bad fit.

[ikeboy]

I've seen multiple major financial companies vulnerable to modification of the page that could be done entirely in inspect element.

[Hasz]

Fiddler also has this capability