Software Security Week 3 badstore Quiz Answer
In this article i am gone to share Coursera Course Software Security Week 3 badstore Quiz Answer with you..
Software Security Week 3 badstore Quiz Answer
Also visit this link: Software Security Week 1 VM BOF Quiz Answer
badstore Quiz Answer
Question 1) One of the BadStore pages has a hidden form field that establishes a new user’s privilege level. What is the name of this field?
Answer: role
Question 2) How many items for purchase are in BadStore’s database? Use SQL injection on the quick search form field to find out.
Answer: 16 (*’–‘)
Question 3) Which of the following operations are suppliers permitted to do?
- Use SQL injection to bypass authentication, or find a way to create an account as a supplier.
- Cancel contract
- Upload price list
- View existing price list
- Submit monthly bill payment
- Download an activity report
Answer: ‘OR 1=1 OR’
Question 4) Log in as [email protected] — this is possible in a variety of ways, including SQL injection. Then look at his previous orders and answer the question: What credit card number did he use to make a purchase of $46.95? Multiple answers are possible, but we will accept all of them.
Answer: 5500000000000004
Question 5) Get administrator privileges and then use the admin action to look at the user database. There are two users whose emails have the form [email protected]; what is the XXX portion of either of the two users? For example, if one of the users is [email protected], the right answer is jackie. (The answer is case-sensitive.)
Answer: fred
Question 6) BadStore uses cookies to implement a session key, once you’ve authenticated, and for tracking the contents of the cart, once you’ve added something to it. You can figure out the cookies in use by BadStore in various ways. One way is to do an XSS attack on the guest book. Get the guest book to run the code <script>alert(document.cookie)</script> and it will tell you the current cookies. (Be sure you have popups enabled on your browser or this won’t work.) Alternatively, you can examine the cookies directly using Firefox developer tools. Recall that cookies are pairs key=value. What is the key of the session cookie?
Answer: SSOid=YWRtaW46NWViZTIyOTRlY2QwZTBmMDhlYWI3NjkwZDJhNmVlNjk6TWFzdGVyIFN5c3RlbSBBZG1p%0AbmlzdHJhdG9yOkE%3D%0A; CartID=1416121184%3A2%3A4010.5%3A1000%3A1004
SSOid
Question 7) What is the key of the cookie used for the cart?
Answer: CartID
Question 8) BadStore’s session cookie format is poorly designed because it is uses a predictable structure. In particular, it is an encoded string (with a URL-encoded newline at the end) of the form XXX:YYY:ZZZ:U. What are the XXX, YYY, and ZZZ portions of this string?
Answer:
- e-mail address
- MDS hash of password
- user ID
- role
Question 9) BadStore’s cart cookie is also an encoded string with a predictable structure XXX:YYY:… etc., and it probably contains information it shouldn’t. Which field of the decoded string could an attacker change to give himself a discount on an item’s price?
Answer: 3