('Dawn Song', 'Midterm 1', '(solution)') Spring 2012

1 httpwwwexamplecompostcommentphp with post body

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: form is submitted using a HTTP GET, which means the password is sent as part of the URI. ◦ A malware attacker can get my password. ◦ A web attacker can read my passwords using framebusting. Answer: A malware attacker can get my password. (g) (2 points) A web application firewall is a software program that sits on the network, next to the web application server and looks at all HTTP Requests going to the server. It is used to detect XSS attempts. Which of the following attack attempts could be detected by a web application firewall interposing on all requests to the www. example.com web server? Circle all that apply (leave blank for none). Point awarded only if all the correct options (and no others) are circled. 1. http://www.example.com/postComment.php with POST body <script>doEvil()</script> 2. http://www.example.com/post.php?comment=<script>doEvil()</ script> 3. http://www.example.com/search.php#!?=in=db&query=<script>doEvil</ script> 4. http://blog.example.com/post.php?comment=<script>doEvil()</ script> Answer: 1 and 2 only. Superfluous options gives zero points. Page 17 (h) (2 points) Prof. Evil provides all the members of CalTopia access to Zion, the centralized servers holding a distributed Badoop Filesystem for storing data. Users can ssh in and see their files and/or create new files. The linux kernel ensures the permissions setup. For example, files of /home/profevil/ are all readable only by the profevil user and not by minion420 user. Prof. Evil also creates a web based UI to view existing files. In this website, the UI requires that you login with your username and password. The web server runs as group www, and all user files are given group www. The server validates the login credentials with the OS. Finally, the web app looks up the owner of the file in question and makes sure the owner matches the logged in user. For example, if a file is not readable by minion420, then the WebUI will refuse to display it to him. Which of the following is correct regarding the check that the owner of the file matches the logged in user? Circle all that apply (leave blank for none) Point awarded only if all the correct options (and no others) are circled. ◦ The server code doesnt need to do this; the OS kernel takes care of it automatically via the permissions setup. They should remove the check for efficiency. ◦ The server code doesnt really need to do this, but its a good defense in depth mechanism. ◦ The server code needs to do this, as otherwise minion420 could read profevils files. ◦ The server code needs to do this because the OS kernels implementation might have a bug. Answer: Only option 3 receives +2 points. Any other option, or selecting superfluous options results in zero points. (i) (3 points) BCS.com wants to add social networking to its website using gracebook.com. For this, it needs to accept post-messages from gracebook.com subdomains. The following code does this check: window.onmessage=function(e){ if(e.origin.indexOf(‘.gracebook.com’) != -1){ //trust the message } The String indexOf method is defined as: Page 18 The indexOf method returns the index within the calling String object of the first occurrence of the specified value, returns -1 if the value is not found. We only want to accept messages from gracebook.com and all its subdomains. Is the check sufficient? If not, give a counter example (i.e., a possibly attacker controlled domain that will be trusted). Answer: +1 point for no. +2 point for a correct example. One possible answer is :foo.gracebook.com.attacker.com Page 19...
View Full Document

This document was uploaded on 02/23/2014.

Ask a homework question - tutors are online