Serialized object data stored on the client should be HMAC signed and validated

Tapestry encodes serialized objects into Base64 encoded strings that are stored on the client; primarily, this is for form submissions, to encode the set of operations needed to process the form when it is submitted.

However, Tapestry does not use any form of validation to ensure that the encoded data has not been tampered with. It is relatively easy to create a DOS attack by exploiting this.

Tapestry should use some form of HMAC (hash-based message authentication) to ensure that the contents of such data are valid; the signing and validation should occur after writing GZipped content, and before GZip decoding (it is very easy to provide a small gzipped payload that expands to an enormous size, for example; this is one form of DOS).