











Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Stanford University. Computer Science Department. CS 253 Final Exam Fall 2019. December 10, 2019. This is a closed book exam.
Typology: Exercises
1 / 19
This page cannot be seen from the preview
Don't miss anything!












This is a closed book exam. You may use two (double-sided) sheets of notes. You have 3 hours. Write all of your answers directly on the paper. Make your answers as concise as possible. NOTE: We will take off points if a correct answer also includes incorrect or irrelevant information (i.e. don’t write everything you know in hopes of saying the correct buzzword.) Question Score True/False (14 points) Short Answer (22 points) Free Response (37 points) TOTAL (73 possible points)
In accordance with both the letter and the spirit of the Honor Code, I did not cheat on this exam nor will I assist someone else in cheating. Name and SUNet ID: Signature:
For each question, write either "True" or "False".
For each question, write an answer using no more than 150 words.
1. Same Origin Policy: Would the following code running on https://attacker.com be allowed to print out the contents of the Axess homepage, which include the currently logged-in user's grades? Why or why not?
You can assume that https://axess.stanford.edu does not send any special HTTP headers such as Access-Control-Allow-Origin, which are also known as "CORS" headers.
2. More Same Origin Policy: Would the following code running on https://attacker.com be allowed to listen to the 'submit' event on the bank's login form and grab the username and password? Why or why not?
3. CORS Preflight: Explain why the browser must send an OPTIONS or "preflight" request to the server before it sends certain HTTP requests. To help jog your memory, here is an example of an OPTIONS request: OPTIONS /resource/foo Access-Control-Request-Method: DELETE Origin: https://example.com
5. More Cookies: An attacker includes the following HTML in their site hosted at https://attacker.com which makes a GET request to a vulnerable bank server and transfers money into the attacker's account.
The attacker is hoping the user is already authenticated with the bank site before they visit https://attacker.com and send the above GET request to the bank. The attacker entices users to visit their site by including hundreds of cute kittens like these ones: Explain how the bank can modify their server code to protect users from this attack.
The following Express route handler implements the homepage of the site at https://insecure.example.com but it is vulnerable to reflected XSS. app.get('/', (req, res) => { let welcomeMessage = 'Welcome to our site!' if (req.query.source) { welcomeMessage = Welcome ${req.query.source} reader! } res.send(` ${welcomeMessage}
This site uses top-of-the-line security and encryptions!!!1
`) }) Recall that the req.query property in Express is an object containing a property for each query string parameter in the route. For example, if the user visits https://insecure.example.com/?name=zelda, then the value of req.query will be { name: 'zelda' }. If there is no query string, it is the empty object, {}. Describe the XSS vulnerability in the code and provide a URL which an attacker could get a victim to visit in order to pull off a reflected XSS attack against them. The URL you provide should execute the following code: alert(document.cookie).(Continued…) 7. More XSS:
The given CSP is applied to the given HTML page. Specify which resources, if any, will be blocked from loading by the CSP. There may be more than one. CSP: Content-Security-Policy: default-src 'none'; script-src 'self' https://partner.example.com; img-src 'self' https://images.example.com; style-src 'self'; HTML:
Top memes:
10. Command injection: The following Node.js program implements an HTTP server which accepts a user-provided filename and returns the contents of the specified file to the user, if it exists on the server. The file should only be returned if it exists in a folder named "static" where static files intended for viewing are stored. const express = require('express') const childProcess = require('child_process') const app = express() app.get('/', (req, res) => { res.send(` File viewer
`)}) app.get('/view', (req, res) => { const { filename } = req.query try { const stdout = childProcess.execSync('cat static/' + filename) // command succeeded, file exists res.send(stdout.toString()) } catch (err) { // command failed, file does not exist res.send(err.toString()) } }) app.listen(4000, '127.0.0.1') Recall, the execSync function takes one or more commands to run, and runs them. If the command succeeds, the function returns the standard output. Otherwise, it throws an exception. Also recall, the cat program reads files sequentially, writing them to standard output. For example, the command cat file.txt will cause the contents of file.txt to be printed to the terminal. Here's an example request and response interaction with this server. (Continued on next page…)
(Continued…) 10. Command injection Request: GET /view?filename=hello.txt HTTP/1. Host: localhost: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) Response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf- Date: Tue, 10 Dec 2019 00:00:00 GMT Hello, world! There is a glaring security vulnerability in this server. What is the issue? How could the issue be fixed? Hint: There are actually two security vulnerabilities, but you only need to find one of them.
(Continued…) 12. Logic bug:
13. Winter break (1 point): What are you most looking forward to doing during the winter break?