










Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A final examination for the CS 142 course at Stanford University during the Winter Quarter of 2017. The exam consists of 16 problems, with a total score of 180 points. The exam rules state that students have 3 hours to complete the exam and can consult two double-sided pages of notes. The exam prohibits the use of laptops, cell phones, and other sources of information. The exam includes questions related to HTML, HTTPS requests, and Object Relational Mapping (ORM) systems.
Typology: Exams
1 / 18
This page cannot be seen from the preview
Don't miss anything!











I acknowledge and accept the Stanford University Honor Code. I have neither given nor received aid in answering the questions on this examination.
(Signature)
(Print your name, legibly!)
(SUID - stanford email account for grading database key)
Problem #1 #2 #3 #4 #5 #6 #7 #
Score
Max 12 12 10 10 12 12 14 12
Problem #9 #10 #11 #12 #13 #14 #15 #16 Total
Score
Max 10 12 12 12 10 9 9 12 180
1: 2: 3: CS142 Final Exam 4: 5: 6: 7: 8: 9: 10: 11: CS 142 12: 13: 14: 15:
Please list below which lines in the HTML file above will or could cause the browser to send an HTTP request. For each HTTP request state if the the requested data will be fetched synchronously (immediately with browser processing of the page suspended until the response comes in), asynchronously (immediately with browser processing of the page continuing before the response comes in), or deferred (request is generated some time after the page is rendered by the browser).
Line 5: synchronous GET request for main.css Line 6: synchronous GET request for index.js Line 10: asynchronous GET request for photo.png Line 11: deferred GET request for http://cs142.stanford.edu (when clicked)
The same origin policy of browser isolation controls access so one website's JavaScript can not access another website's cookies or use XMLHttpRequest to access another website. Explain the loophole in browsers that allows Cross Site Request Forgery (CSRF) attacks where a website may generate valid HTTP requests to another website.
Even under the same origin policy, HTTP requests generated by an attacker's HTML will have the cookies of the request destination attached by the browser. For backends that use session cookies to authenticate requests these requests will look valid. Requests can be generated by having an "a" tag that baits the user into clicking on it (GET request) or by generating a form submit (GET or POST requests).
Suppose you run a bitcoin exchange and your web application uses HTTPS requests to fetch all content. You hire an intern and instruct the person to add your company logo to every view. The intern figures that the logo is not sensitive so uses unencrypted HTTP requests to fetch the logo .png file from your server. Describe the security problem this change causes.
The problem was described in class as "mixed context". The HTTP GET request for the logo.png file will have the cookies including the session cookie attached allowing a "man-in-the-middle" attacker to steal and use to forge valid-looking requests to the backend.
Assume you are given a correctly functioning database with several secondary indexes. You delete one of the secondary indexes. For each of the following effects the index deletion could have, state if the effect is either possible or impossible. Provide a justification for your answer. If possible, describe a scenario in which it would happen. If impossible, describe why.
Assume you are given a MEAN stack web application like we developed in class. Indicate whether the following concepts pertain to the browser (frontend) side, the server (backend) side, or both and give a brief one-sentence justification: a. Inserting objects into a database b. Rendering HTML documents c. Sending HTTP GET requests d. Accepting TCP connections e. Running JavaScript code f. Sending HTML, CSS, and JavaScript files g. Reacting to a mouse click
a. Server: The database is running in the backend and the code that accesses the database runs in the web server tier which is also in the backend. b. Browser: The browser contains the HTML layout engine that renders HTML on the screen. c. Browser: When processing HTML, or using the XMLHttpRequest API, the browser generates HTTP GET requests that are sent to the server. d. Server: The browser speaking HTTP establishes a TCP connection with the web server which accepts the connection. e. Both: In a MEAN stack, we run JavaScript both in the browser (Angular.js) and in the web server (Node.js). f. Server: A web server in MEAN will service HTML, CSS, and JavaScript files to the browser. g. Browser: DOM event handling on mouse clicks happens in the browser.
The following Node.js program uses the Node fs module to read a large file twice using two different API calls. When run, the programs print the numbers 1 through 5 to the console. Answer this question by listing the order in which the numbers are printed. Provide a brief (one or two sentence) explanation of the order in your answer.
var fs = require("fs");
fs.readFile("./largeFile", function () { console.log("1"); }); console.log("2");
function readFileSyncWithCb(fileName, callback) { var f = fs.readFileSync(fileName); console.log("3"); callback(); }
readFileSyncWithCb("./largeFile", function () { console.log("4"); }); console.log("5");
Output:
2 3 4 5 1
The fs.readFile call will call its done callback later so the first log we get is '2'. Afterwards, readFileSyncWithCb will be called and print '3' and then call its callback which prints '4'. Execution then continues with '5' printed and later the fs.readFile callback will fire, printing '1';
The following Node.js program uses the Node events and fs modules to read an input file and print some lines to the console log.
var events = require('events'); var myEmitter = new events.EventEmitter();
var fs = require('fs');
myEmitter.on('A', function () { console.log('A'); });
myEmitter.on('D', function () { console.log('D'); });
var readableStreamEvent = fs.createReadStream('./inputFile');
readableStreamEvent.on('data', function (fileData) { console.log('B'); myEmitter.emit('A'); });
myEmitter.emit('D');
readableStreamEvent.on('finish', function () { console.log('C'); myEmitter.emit('A'); });
Answer questions on the following page…..
Content Distribution Networks work will for data that doesn't change (i.e. is read-only) and can be very beneficial but doesn't work at all for rapidly changing data. An application with mostly read-only data benefits whereas one with no read-only data will not.
The pay for resource you use pricing model of Cloud providers is a big win for a start up that is using few resources but would like to rapidly expand resource consumption if the customers show up. Buying your own computing resources to be ready when the customers show can take much capital up front.
Load balancing with web servers can be done by making every server able to process any requests so the request can assigned to web servers using any algorithm that distributed the request processing among the servers. When distributing load on a scale-out storage system, the requests need to be routed to the servers that contain the requested data. Balancing load means distributing the data so that requests are spread evenly among the data shards. Allocating data to servers to balance load can be more complex than load balancing when any stateless server can be used.
Application session state (state kept per browser connection) requires fast access so that different servers in a scale-out architecture can be load balanced across. Systems that tradeoff storing with lower reliability for lower resource consumption and higher speed, like memcached, are popular for session state.
Storing web application state using the HTTP cookie mechanism has some advantages including the ability to use the storage space on the user's machine. Assuming we can get over problems with cookies being lost or corrupted and browser imposed limits, what would be the problem with storing significant amounts of state in cookies?
Since cookies are attached to every HTTP request sent from the browser to the website, having a lot of information stored in cookies would make every request bigger, consuming more bandwidth and slowing things down.
Describe an attack that can be launched if a hacker could become the Domain Name Service (DNS) server for a user's browser.
If the hacker could substitute their own DNS service they could make any HTTP/HTTPS URL attach to the attacker's web server rather than where it was suppose to go. The attacker could host a fake website that fools the user into interacting with it.