This preview shows page 1. Sign up to view the full content.
Unformatted text preview: rce is downloaded, specify whether it is executed in the
trusted.com or the untrusted.com origin.
1. <a href="untrusted.com">
2. <script src="untrusted.com">
3. <iframe src="untrusted.com">
4. <style src="untrusted.com">
Answer: trusted.com An- (d) (2 points) You are visiting a banking website, http://www.americasbank.
com. After logging in, a session is established with the server with
a random 8 bit session ID in the cookie. Unfortunately, Mallory, a
network attacker, is able to hijack your session with the bank and
transfer out a large sum of money. Which of the following changes
does the bank need to do to prevent such attacks in the future and
provide the most ﬂexibility? Circle all that apply (leave blank
for none). Point awarded only if all the correct options (and
no others) are circled.
◦ Use SSL/TLS.
◦ Increase the random session ID length.
◦ Check the IP address of the connection. If it is diﬀerent from the
previous IP address used with the given session ID, reject the
◦ Create a new, random session ID every 5 minutes.
◦ Require the user to change their password at least once a month.
Answer: Increase random session ID length and Use SSL/TLS. +2 point for both, 0 points otherwise.
(e) (1 point) Are the following URIs same origin?
Page 16 ◦ No
(f) (1 point) I go to a page on http://www.example.net and log in.
The person who wrote the login page is my friend, and I know he
always makes sure to set the form action (the target uri for form
submission) to an HTTPS URI. Which one of the following options
is correct? Circle all that apply (leave blank for none). Point
awarded only if all the correct options (and no others) are
◦ A network attacker cannot read my password since it is always
sent to an HTTPS URI
◦ A network attacker can read my password because the...
View Full Document
This document was uploaded on 02/23/2014.
- Spring '14
- Computer Security