('Dawn Song', 'Midterm 1', '(solution)') Spring 2012

Which of the following changes does the bank need to

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: rce is downloaded, specify whether it is executed in the trusted.com or the untrusted.com origin. 1. <a href="untrusted.com"> swer: untrusted.com 2. <script src="untrusted.com"> Answer: trusted.com 3. <iframe src="untrusted.com"> Answer: untrusted.com 4. <style src="untrusted.com"> Answer: trusted.com An- (d) (2 points) You are visiting a banking website, http://www.americasbank. com. After logging in, a session is established with the server with a random 8 bit session ID in the cookie. Unfortunately, Mallory, a network attacker, is able to hijack your session with the bank and transfer out a large sum of money. Which of the following changes does the bank need to do to prevent such attacks in the future and provide the most flexibility? Circle all that apply (leave blank for none). Point awarded only if all the correct options (and no others) are circled. ◦ Use SSL/TLS. ◦ Increase the random session ID length. ◦ Check the IP address of the connection. If it is different from the previous IP address used with the given session ID, reject the connection. ◦ Create a new, random session ID every 5 minutes. ◦ Require the user to change their password at least once a month. Answer: Increase random session ID length and Use SSL/TLS. +2 point for both, 0 points otherwise. (e) (1 point) Are the following URIs same origin? 1. http://www.example.com:80/index.html 2. http://www.example.com/index.html ◦ Yes Page 16 ◦ No Answer: Yes (f) (1 point) I go to a page on http://www.example.net and log in. The person who wrote the login page is my friend, and I know he always makes sure to set the form action (the target uri for form submission) to an HTTPS URI. Which one of the following options is correct? Circle all that apply (leave blank for none). Point awarded only if all the correct options (and no others) are circled. ◦ A network attacker cannot read my password since it is always sent to an HTTPS URI ◦ A network attacker can read my password because the...
View Full Document

This document was uploaded on 02/23/2014.

Ask a homework question - tutors are online