D385: FINAL EXAM CORRECTED - NO CODING, Exams of Software Engineering

D385: FINAL EXAM CORRECTED - NO CODING |GRADED A+!!

Typology: Exams

2023/2024

Available from 03/17/2024

Achieverr
Achieverr 🇺🇸

4.2

(14)

20K documents

1 / 11

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
D385: FINAL EXAM CORRECTED - NO
CODING
Output from requests.get("https://randomuser.me/api/") - correct answers; <Response [200]>
Status Code: 201 - correct answers; - Created
- Your request was accepted and the resource was created
Status Code: 400 - correct answers; - Bad Request
- Your request is either wrong or missing some information
Status Code: 401 - correct answers; - Unauthorized
- Your request requires some additional permissions
- Usually means you lack authentication, not authorization
Status Code: 404 - correct answers; - Not Found
- The requested resource does not exist
Status Code: 405 - correct answers; - Method Not Allowed
- The endpoint does not allow for that specific HTTP method
Status Code: 500 - correct answers; - Internal Server Error
- Your request wasn't expected and probably broke something on the server side
HTTP Header: Accept - correct answers; - What type of content the CLIENT can accept
Example value: application/json, text/html;q=0.9, */*;q=0.8
pf3
pf4
pf5
pf8
pf9
pfa

Partial preview of the text

Download D385: FINAL EXAM CORRECTED - NO CODING and more Exams Software Engineering in PDF only on Docsity!

D385: FINAL EXAM CORRECTED - NO

CODING

Output from requests.get("https://randomuser.me/api/") - correct answers; <Response [200]> Status Code: 201 - correct answers; - Created

  • Your request was accepted and the resource was created Status Code: 400 - correct answers; - Bad Request
  • Your request is either wrong or missing some information Status Code: 401 - correct answers; - Unauthorized
  • Your request requires some additional permissions
  • Usually means you lack authentication, not authorization Status Code: 404 - correct answers; - Not Found
  • The requested resource does not exist Status Code: 405 - correct answers; - Method Not Allowed
  • The endpoint does not allow for that specific HTTP method Status Code: 500 - correct answers; - Internal Server Error
  • Your request wasn't expected and probably broke something on the server side HTTP Header: Accept - correct answers; - What type of content the CLIENT can accept Example value: application/json, text/html;q=0.9, /;q=0.

HTTP Header: Content-Type - correct answers; - What type of content the SERVER with responds with (GET, POST, etc)

  • What type of content the CLIENT is sending (POST, PUT, PATCH) HTTP Header: User-Agent - correct answers; - What SOFTWARE the CLIENT is using to communicate with the server HTTP Header: Server - correct answers; - What SOFTWARE the SERVER is using to communicate with the client
  • This is usually omitted for security reasons HTTP Header: Authentication - correct answers; - Who is calling the API and what credentials they have How to inspect the Response Headers? - correct answers; - response.headers How to inspect the Request Headers? - correct answers; - response.request.headers Example of Custom Headers? - correct answers; - start with 'x'
  • headers = {"X-Request-Id" : " <my-request-id>"} What is the default Content-Type most APIs use? - correct answers; - JSON How do you inspect the Content-Type Header? - correct answers; - response.headers.get("Content- Type")
  • Example: 'application/json; charset=utf-8' What is the difference between response.text and response.content? - correct answers; - respone.text returns unicode
  • response.content returns bytes

Set-Cookie Directive: Secure - correct answers; - Resists MITM attacks

  • Example: Set-Cookie: sessionid=<session-id-value>; Secure
  • Restricts cookie to only HTTPS connections What setting adds or removes the Secure directive? - correct answers; - SESSION_COOKIE_SECURE
  • Adds/removes the Secure directive to the session ID Set-Cookie header
  • This setting is FALSE by default Set-Cookie Directive: Domain - correct answers; - Controls which hosts (domains) the browser should send and process receiving the session ID Set-Cookie: sessionid=<session-id-value>; Domain=alice.com
  • None is default setting What happens when the Domain directive is set to 'alice.com'? - correct answers; - The browser will now echo back the cookie to both 'alice.com' and 'sub.alice.com' Set-Cookie Directive: Max-Age - correct answers; - Declares an expiration time for the cookie
  • Example: Set-Cookie: sessionid=<session-id-value>; Max-Age= What does Django use SECRET_KEY setting for? - correct answers; - Keyed hashing (ex: password hashing)
  • CSRF protection (ex: generating CSRF tokens)
  • If it involves hashing or generating a token, SECRET_KEY can be involved OAuth Authorization Code Flow - correct answers; 1. Requesting authorization
  1. Granting authorization
  2. Performing token exchange
  3. Accessing protected resources RGEA - Request, grant, exchange, access

Content-Security-Policy - correct answers; - Primary goal is to protect against XSS

  • Restricts what a browser can do with a response
  • Designed to prevent or mitigate various web attacks Use CSP to block XSS and JavaScript - correct answers; - Content-Security-Policy: script-src 'none'
  • This blocks ALL javascript, inline and external What are the 3 major directive types for CSP? - correct answers; - Fetch directives
  • Navigation directives
  • Document/Resource loading directives CSP: default-src - correct answers; - A browser falls back to 'default-src' when it does not receive an explicit FETCH directive
  • Recommended to be combined with 'self' source
  • 'self' allows content processing from the same origin where the resource was obtained. CSP: default-src (example) - correct answers; - Content-Security-Policy: default-src 'self'
  • the content must have the same 'origin'
  • origin = same protocol, host, and port of the resource URL What is the opposite of 'script-src none' - correct answers; - unsafe-inline or unsafe-eval
  • permits the browser to execute XSS vectors such as inline script tags and javascript URLs What two CSP sources should be avoided? - correct answers; - unsafe-inline
  • unsafe-eval (permits the browser to execute any JavaScript) How do you strike a balance between 'script-src none' and 'unsafe-inline' or 'unsafe-eval'? - correct answers; - with a 'nonce'

Same-origin-policy - correct answers; - ensures that resources are accessible to documents with the same origin

  • origin = domain CORS - correct answers; - Cross-Origin Resource Sharing
  • A way to modify a browser's SOP (Same-origin-policy) CORS: Allow Specific Domain - correct answers; - Access-Control-Allow-Origin: https://alice.com What are the 3 Access-Control-Allow-Origin settings? - correct answers; - CORS_ORIGIN_ALLOW_ALL
  • CORS_ORIGIN_WHITELIST
  • CORST_ORIGIN_REGEX_WHITELIST CORS_ORIGIN_ALLOW_ALL - correct answers; - If TRUE, then sets Access-Control-Allow-Origin to * CORS_ORIGIN_WHITELIST - correct answers; - shares resources with one or more specific origins CORS_ORIGIN_WHITELIST = [ 'https://alice.com', 'https://charlie.com:8002', ] How does the browser know the 'origin' of a request? - correct answers; - the browser designates the request origin with a header named Origin CORST_ORIGIN_REGEX_WHITELIST - correct answers; - list of regular expressions CORST_ORIGIN_REGEX_WHITELIST Preflight Request - correct answers; - CORS needs a way to discover if the server is prepared BEFORE sending a cross-origin unsafe request
  • this discovery mechanism is called 'preflight request'
  • Always uses the HTTP OPTIONS method

What setting permits browsers to included credentials? - correct answers; - Access-Control-Allow- Credentials header

  • added to the /comment/ preflight response
  • designed to relax SOP Access-Control-Allow-Credentials: true What are examples of credentials browsers can include? - correct answers; - cookies
  • authorization headers
  • TLS certificates What is the purpose of the X-Frame-Options response header - correct answers; - resist clickjacking
  • obsoleted by Content-Security-Policy
  • can be either DENY or SAMEORIGIN X_FRAME_OPTIONS = 'SAMEORIGIN' frame-ancestors directive - correct answers; - informs the browser about whether a resource may be embedded in an iframe, frame, object
  • safe and more flexible than X-Frame-Options
  • 'none' forbids the response from being embedded anywhere Content-Security-Policy: frame-ancestors Log Injection Attack - correct answers; - Data enters an application from an untrusted source.
  • The data is written to an application or system log file. Successful log injection attacks can cause:
  • Injection of new/bogus log events (log forging via log injection)
  • Injection of XSS attacks, hoping that the malicious log event is viewed in a vulnerable web application
  • Injection of commands that parsers (like PHP parsers) could execute

What standard restricts what a browser can do with a response? - correct answers; - CSP (Content Security Policy) What is a "source"? - correct answers; - an acceptable location for the browser to retrieve content from CSP example restricting JavaScript and requiring HTTPS - correct answers; Content-Security-Policy: script- src 'none' https: What is highly recommended when using CSP default-src? - correct answers; - use 'self' source instead of 'none'

  • 'self' permits the browser to process content from a specific place
  • the content must come from wherever the browser obtained the resource (same origin)
  • origin = protocol, host, and port in URL CSRF resistance? - correct answers; - validating the Referer hader
  • compares its domain to the domain of the Referer header Unsafe Referrer-Policy headers? - correct answers; - unsafe-url (sends the referrer addres for every request) Referrer-Policy: strict-origin - correct answers; - send nothing in the protocol is downgraded from HTTPS to HTTP Referrer-Policy: same-origin - correct answers; - Send the referrer header for same-site requests only (must match protocol, domain, and port exactly)
  • Path and query string are not included Referrer-Policy: origin - correct answers; - Only the client's origin will be sent in the HTTP Referer header CSRF Token Process - correct answers; 1. Server generates a token and sends it to the browser
  1. the browser echoes back the token in ways the attacker cannot forge (this isn't true, but it's correct for the exam) Example: Set-Cookie: csrftoken=<token-value> CORS and CSRF - correct answers; - CORS headers CANNOT resist CSRF because CSRF exploits using the same origin (also, origin can easily be spoofed)
  • Request forgery requires a session ID; resource sharing does not What is CSRF? - correct answers; CSRF (Cross-Site Request Forgery) is a type of vulnerability where an attacker tricks a user into unintentionally performing actions on a website without their consent, often by exploiting the user's authenticated session.