CS 253 Final Exam Fall 2019, Exercises of Computer Networks

Stanford University. Computer Science Department. CS 253 Final Exam Fall 2019. December 10, 2019. This is a closed book exam.

Typology: Exercises

2022/2023

Uploaded on 05/11/2023

ahalya
ahalya 🇺🇸

4.9

(16)

257 documents

1 / 19

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Stanford University
Computer Science Department
CS 253 Final Exam Fall 2019
December 10, 2019
This is a closed book exam. You may use two (double-sided) sheets of notes. You have 3 hours. Write
all of your answers directly on the paper. Make your answers as concise as possible.
NOTE: We will take off points if a correct answer also includes incorrect or irrelevant
information (i.e. don’t write everything you know in hopes of saying the correct buzzword.)
Question
Score
True/False (14 points)
Short Answer (22 points)
Free Response (37 points)
TOTAL (73 possible points)
Stanford University Honor Code
In accordance with both the letter and the spirit of the Honor Code, I did not cheat on this exam nor will
I assist someone else in cheating.
Name and SUNet ID:
Signature:
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13

Partial preview of the text

Download CS 253 Final Exam Fall 2019 and more Exercises Computer Networks in PDF only on Docsity!

Stanford University

Computer Science Department

CS 253 Final Exam Fall 2019

December 10, 2019

This is a closed book exam. You may use two (double-sided) sheets of notes. You have 3 hours. Write all of your answers directly on the paper. Make your answers as concise as possible. NOTE: We will take off points if a correct answer also includes incorrect or irrelevant information (i.e. don’t write everything you know in hopes of saying the correct buzzword.) Question Score True/False (14 points) Short Answer (22 points) Free Response (37 points) TOTAL (73 possible points)

Stanford University Honor Code

In accordance with both the letter and the spirit of the Honor Code, I did not cheat on this exam nor will I assist someone else in cheating. Name and SUNet ID: Signature:

True or False (1 point each) –

For each question, write either "True" or "False".

  1. Code injection is caused when untrusted user data unexpectedly becomes code.
  2. It's OK to put sensitive information in hidden form fields since, after all, they're hidden. For example, .
  3. The server can trust cookie values in HTTP requests to be untampered since the cookies are set by the server.
  4. The cookie attribute HttpOnly helps to mitigate the effects of XSS attacks by preventing client-side JavaScript from reading the cookie.
  5. Your browser will save cookies even from sites you have not visited directly. ("Visited directly" means that e.g. you navigated to the site and its URL appeared in the browser's address bar)
  6. You should prefer to use a blocklist (to block known bad input and allow everything else) rather than an allowlist (to only allow known good input and block everything else).
  7. Cross-site request forgery is a type of injection attack.
  8. HTML/JavaScript are the primary languages targeted by cross-site scripting attacks.
  9. Reflected XSS occurs when a malicious user convinces a victim to send a request to a server with malicious input and the server echoes the input back to client.
  1. You are a penetration tester evaluating a client's website for security vulnerabilities. You notice that their authentication system chooses sequential session IDs for users. Specifically, the first user to log in to the site gets a session ID of 1, the second user gets 2, the third user gets 3, and so on. Describe an attack against this authentication system.
  2. (Continued from previous question) The client "fixes" the issue by updating the server code so a random number between 1 and 2^128 is chosen at startup and used as the first session ID given to a user. All subsequent session IDs are chosen by adding 1 to the last session ID given to a user. For instance, if the server randomly chose 9000 as the first session ID, then the second session ID would be 9001, and so on. Describe an attack against this authentication system.
  3. Why is it a bad idea to include detailed error information (e.g. including a stack trace) in the HTTP response when the server throws an exception?
  1. An attacker injects an XSS payload into the HTML page sent by your server. Given the following CSP, would the XSS attack succeed? Why or why not? CSP: Content-Security-Policy: script-src 'self'; XSS:
  2. An attacker injects an XSS payload into the HTML page sent by your server. Given the following CSP, would the XSS attack succeed? Why or why not? CSP: Content-Security-Policy: script-src 'self' https://javascript-cdn.com; XSS:
  1. What is the difference between authentication and authorization?

Free Response (3 points each) –

For each question, write an answer using no more than 150 words.

1. Same Origin Policy: Would the following code running on https://attacker.com be allowed to print out the contents of the Axess homepage, which include the currently logged-in user's grades? Why or why not?

You can assume that https://axess.stanford.edu does not send any special HTTP headers such as Access-Control-Allow-Origin, which are also known as "CORS" headers.

2. More Same Origin Policy: Would the following code running on https://attacker.com be allowed to listen to the 'submit' event on the bank's login form and grab the username and password? Why or why not?

3. CORS Preflight: Explain why the browser must send an OPTIONS or "preflight" request to the server before it sends certain HTTP requests. To help jog your memory, here is an example of an OPTIONS request: OPTIONS /resource/foo Access-Control-Request-Method: DELETE Origin: https://example.com

5. More Cookies: An attacker includes the following HTML in their site hosted at https://attacker.com which makes a GET request to a vulnerable bank server and transfers money into the attacker's account.

The attacker is hoping the user is already authenticated with the bank site before they visit https://attacker.com and send the above GET request to the bank. The attacker entices users to visit their site by including hundreds of cute kittens like these ones: Explain how the bank can modify their server code to protect users from this attack.

6. XSS:

The following Express route handler implements the homepage of the site at https://insecure.example.com but it is vulnerable to reflected XSS. app.get('/', (req, res) => { let welcomeMessage = 'Welcome to our site!' if (req.query.source) { welcomeMessage = Welcome ${req.query.source} reader! } res.send(` ${welcomeMessage}

This site uses top-of-the-line security and encryptions!!!1

`) }) Recall that the req.query property in Express is an object containing a property for each query string parameter in the route. For example, if the user visits https://insecure.example.com/?name=zelda, then the value of req.query will be { name: 'zelda' }. If there is no query string, it is the empty object, {}. Describe the XSS vulnerability in the code and provide a URL which an attacker could get a victim to visit in order to pull off a reflected XSS attack against them. The URL you provide should execute the following code: alert(document.cookie).

(Continued…) 7. More XSS:

8. CSP:

The given CSP is applied to the given HTML page. Specify which resources, if any, will be blocked from loading by the CSP. There may be more than one. CSP: Content-Security-Policy: default-src 'none'; script-src 'self' https://partner.example.com; img-src 'self' https://images.example.com; style-src 'self'; HTML:

Top memes:

10. Command injection: The following Node.js program implements an HTTP server which accepts a user-provided filename and returns the contents of the specified file to the user, if it exists on the server. The file should only be returned if it exists in a folder named "static" where static files intended for viewing are stored. const express = require('express') const childProcess = require('child_process') const app = express() app.get('/', (req, res) => { res.send(` File viewer

`)

}) app.get('/view', (req, res) => { const { filename } = req.query try { const stdout = childProcess.execSync('cat static/' + filename) // command succeeded, file exists res.send(stdout.toString()) } catch (err) { // command failed, file does not exist res.send(err.toString()) } }) app.listen(4000, '127.0.0.1') Recall, the execSync function takes one or more commands to run, and runs them. If the command succeeds, the function returns the standard output. Otherwise, it throws an exception. Also recall, the cat program reads files sequentially, writing them to standard output. For example, the command cat file.txt will cause the contents of file.txt to be printed to the terminal. Here's an example request and response interaction with this server. (Continued on next page…)

(Continued…) 10. Command injection Request: GET /view?filename=hello.txt HTTP/1. Host: localhost: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) Response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf- Date: Tue, 10 Dec 2019 00:00:00 GMT Hello, world! There is a glaring security vulnerability in this server. What is the issue? How could the issue be fixed? Hint: There are actually two security vulnerabilities, but you only need to find one of them.

(Continued…) 12. Logic bug:

13. Winter break (1 point): What are you most looking forward to doing during the winter break?

Have an amazing winter break!