This preview shows page 1. Sign up to view the full content.
Unformatted text preview: inst HTTP.
Answer: Verify it against the digital signature stored in
Page 13 http://<game-website>/updates/updateX-signature.txt using
the game company’s public key that is already embedded in
the game’s code. A MAC won’t work because it is a symmetric algorithm and the game would have to embed the MAC
key into the software for veriﬁcation, and an attacker can
then extract the key out of the software and use it generate
a MAC of a malicious update. A cryptographic hash doesn’t
use keys so an attacker can generate the cryptographic hash
key of a malicious update. HTTP is indeed susceptible to
man-in-the-middle attacks. Page 14 6. (18 points) Web Security
(a) (2 points) When visiting a website, such as a banks website, which
of the following is a necessary part of preventing a man-in-the-middle
(a) An HTTPS connection
(b) A security image
(c) A CAPTCHA
◦ (a) only
Both (a) and (b)
Both (b) and (c) Answer: (a) only
(b) (1 point) In the following PHP code, in which line is there a potential
XSS attack, assuming all sanitizer functions work correctly and all
variables are user inputs?
echo ‘ < p>H e l l o , ’ . sanitizeHTML ( $username ) . ‘ < /p > ’;
echo ‘ < p>The homepage f o r u s e r i d ’ .
s a n i t i z e N u m b e r ( $ u s e r i d ) . ‘ i s : < /p > ’;
echo ‘ < p><a h r e f=
’ . sanitizeHTML ( $homepage ) .
>homepage </a></p > ’;
echo ‘ < p><a h r e f= m y p r o f i l e . p h p > ’ .
‘ Return to p r o f i l e o f ’ .
sanitizeHTML ( $username ) .
‘. < / a></p > ’;
◦ Line 2
There is no XSS Answer: Line 5
Page 15 (c) (4 points) In the trusted.com website, there are a number of references to external URLs at untrusted.com. For each of the following
HTML elements that appear in the trusted.com website, when the
View Full Document
This document was uploaded on 02/23/2014.
- Spring '14
- Computer Security