Philadelphia University
Faculty of Information Technology
Department of Software Engineering
Examination Paper
Lecturer: Dr. Samer Hanna
Internal Examiner: Dr. Mohammad Taye
Coordinator: Dr. Samer Hanna
Software Engineering of Web Systems
(0721422 ) Section 1
Second Exam's Key
First Semester of 2015/2016
Date: Wednesday, Dec. 30 , 2015-------- Time: 50 min.
th
Q1) (6 marks)
1) Name and discuss in details four of the Web applications vulnerabilities that can affect the security quality
attribute. (4 marks)
Solution:
1. Hidden fields
 Hidden fields refer to hidden HTML form fields, such as (input type=hidden name=hl value=“en”).
 In many web applications, developers use these fields to transfer values instead of presenting these values
to users.
 Unfortunately, these fields are actually visible and manipulable to users.
 Malicious users could easily change the values of these fields in HTML source code and send the changed
values back to the web application.
2. Cross-Site Scripting



Cross-Site Scripting (XSS) flaws occur when a web application accepts user-supplied inputs that contain
browser-executable scripts, and posts the inputs in an HTML page without validating or encoding.
When another user accesses the HTML page, the web browser executes scripts posted in that HTML
page.
Through XSS, attackers could send an executable script to a victim’s browser, and then possibly hijack
user sessions, deface websites, introduce worms, etc.
3. SQL injection
 SQL injection flaws occur when user-supplied inputs are sent to an interpreter as part of a command or
query.
 Attackers trick the interpreter to execute unintended commands via supplying specially crafted data
4. Unconscious mistakes
 Besides the preceding malicious attacks, many users can enter invalid inputs unconsciously.
 For example, users may enter invalid characters, such as multiple blanks, &, and null accidentally.
2) Give a detailed example about any of the vulnerabilities in branch 1. (2 marks)
Solution:
XSS example:
1
Q2) (10 marks)
Suppose that you want to build a Web page for a restaurant with the following specifications:
- The Web page displays information about the restaurant such as: its name, available foods, prices, etc.
- In order to enable a customer to order a food online; the customer should be enabled to insert his/her name,
phone number and the food to order in the same page.
1) Write the needed HTML for this Web page. (2 marks)
Solution:
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>KFC Restaurant</title>
<meta "kfc" "delivery" />
</head>
<body>
<form id="form1" runat="server">
<div id="wrap">
<div id="info">
<h2>KFC Restaurant</h2>
<table>
<tr>
<th>Food</th>
<th>Price</th>
</tr>
<tr>
<td>Dinner Meal</td>
<td>4.30 JD</td>
</tr>
<tr>
<td>Chicken Meal</td>
<td>3.20 JD</td>
</tr>
<tr>
<td>Fish Meal</td>
<td>5.10 JD</td>
</tr>
</table>
</div>
<div id="order">
<h2>Oder a Meal here</h2>
Name : <input type="text" id="name" size="25" />
<br />
Phone: <input type="tel" id="phone" size="25" />
<br />
Meal: <input type="text" id="meal" size="25" />
2
</div>
</div>
</form>
</body>
</html>
2) Write the needed CSS code to a) display the restaurant information to the left of the page and the order
information to the right of the page (1 mark). b) give the page a width of 800 pixels (1 mark)
<style type="text/css">
#info
{
float: left;
}
#wrap{
width: 800px;
}
</style>
3) Suppose that you want to use a crawler based security tool to defend the web page you built: a) name the tool
you will use (1 mark). b) what will this tool help you to do? (describe its job) (2 marks)
Solution:
a) Nikto2; Wikto; Acunetix
b) Crawler-based UIV testing tools retrieve HTML pages automatically, and submit predefined test inputs to the
server through these HTML pages.
4) Suppose that you want to use a proxy based security tool to defend the web page you built: a) name the tool
you will use (1 mark). b) what will this tool help you to do? (describe its job) (2 marks)
a) Fiddler; Burp Proxy; Tamperie
b)
 Different from crawler-based UIV testing tools, proxy-based UIV testing tools allow developers to edit HTML
requests directly.
 These tools basically provide a manual testing approach, which keeps the maximum flexibility without
providing any help on test input generation.
Q3) (4 marks)
The security tools you used in branch 3 & 4 of Q2 have a problem or shortcoming;
1) What is this problem? (2 marks)
These tools do not consider the semantics of the input fields.
Other problems are that crawler-based tools used only a predefined test input while the proxy-based
tools are manual (slow).
2) How this problem can be solved? (2 marks)
By writing tools that can read the text associated with each input and generate the test data
accordingly.
3