('Dawn Song', 'Midterm 1', '(solution)') Spring 2012

A cryptographic hash doesnt use keys so an attacker

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: inst HTTP. Answer: Verify it against the digital signature stored in Page 13 http://<game-website>/updates/updateX-signature.txt using the game company’s public key that is already embedded in the game’s code. A MAC won’t work because it is a symmetric algorithm and the game would have to embed the MAC key into the software for verification, and an attacker can then extract the key out of the software and use it generate a MAC of a malicious update. A cryptographic hash doesn’t use keys so an attacker can generate the cryptographic hash key of a malicious update. HTTP is indeed susceptible to man-in-the-middle attacks. Page 14 6. (18 points) Web Security (a) (2 points) When visiting a website, such as a banks website, which of the following is a necessary part of preventing a man-in-the-middle attack? (a) An HTTPS connection (b) A security image (c) A CAPTCHA ◦ ◦ ◦ ◦ ◦ (a) only (b) only (c) only Both (a) and (b) Both (b) and (c) Answer: (a) only (b) (1 point) In the following PHP code, in which line is there a potential XSS attack, assuming all sanitizer functions work correctly and all variables are user inputs? 1 2 3 4 5 6 7 8 9 10 11 <?php echo ‘ < p>H e l l o , ’ . sanitizeHTML ( $username ) . ‘ < /p > ’; echo ‘ < p>The homepage f o r u s e r i d ’ . s a n i t i z e N u m b e r ( $ u s e r i d ) . ‘ i s : < /p > ’; echo ‘ < p><a h r e f= ’ . sanitizeHTML ( $homepage ) . ‘ >homepage </a></p > ’; echo ‘ < p><a h r e f= m y p r o f i l e . p h p > ’ . ‘ Return to p r o f i l e o f ’ . sanitizeHTML ( $username ) . ‘. < / a></p > ’; ?php> ◦ ◦ ◦ ◦ ◦ Line 2 Line 4 Line 5 Line 9 There is no XSS Answer: Line 5 Page 15 (c) (4 points) In the trusted.com website, there are a number of references to external URLs at untrusted.com. For each of the following HTML elements that appear in the trusted.com website, when the external resou...
View Full Document

This document was uploaded on 02/23/2014.

Ask a homework question - tutors are online