02-09-2010-answers - CS 161 Spring 2010 Computer Security...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
CS 161 Computer Security Spring 2010 Paxson/Wagner Discussion 3 February 09, 2010 1. Cross Site Scripting (XSS) To launch a reflected XSS attack, you need to get the victim to click on a well-crafted malicious link. (a) What are some ways an attacker can get that to happen? (b) What are some examples of the damage the attacker could inflict on the victim? (c) Why does the attacker even need to bother with XSS? Why not just host a site that has in the background a script that steals all the cookies from any other sites the user has open in their browser? Any time a user goes to the attacker’s site, all their session information from other sites they are visiting will be stolen. Answer: (a) Phishing emails, chat forums. (b) Deface web page, steal session cookies. (c) Same origin policy prevents one page from accessing the methods and properties of a page from a different domain. XSS is a way around that as the script does not preserve the same origin policy. 2. Cross Site Request Forgery (CSRF) In a CSRF attack, a malicious user is able to take action on behalf of the victim. Consider the following example. Mallory posts the following in a comment on a chat forum: Of course, Patsy-Bank won’t let just anyone request a transaction on behalf of any given account name. Users first need to authenticate with a password. However, once a user has authenticated, Patsy-Bank associates their session ID with an authenticated session state. (a) Explain what could happen when Victim Vern visits the chat forum and views Mallory’s comment. (b) What are some defenses against this attack?
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 04/14/2010 for the course CS 161 taught by Professor Wagner during the Spring '10 term at University of Central Arkansas.

Page1 / 3

02-09-2010-answers - CS 161 Spring 2010 Computer Security...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online