In this article i am gone to share Coursera Course Software Security Week 3 badstore Quiz Answer with you..
Software Security Week 3 badstore Quiz Answer
Also visit this link: Software Security Week 1 VM BOF Quiz Answer
badstore Quiz Answer
Question 1) One of the BadStore pages has a hidden form field that establishes a new user’s privilege level. What is the name of this field?
Question 2) How many items for purchase are in BadStore’s database? Use SQL injection on the quick search form field to find out.
Answer: 16 (*’–‘)
Question 3) Which of the following operations are suppliers permitted to do?
- Use SQL injection to bypass authentication, or find a way to create an account as a supplier.
- Cancel contract
- Upload price list
- View existing price list
- Submit monthly bill payment
- Download an activity report
Answer: ‘OR 1=1 OR’
Question 4) Log in as firstname.lastname@example.org — this is possible in a variety of ways, including SQL injection. Then look at his previous orders and answer the question: What credit card number did he use to make a purchase of $46.95? Multiple answers are possible, but we will accept all of them.
Question 5) Get administrator privileges and then use the admin action to look at the user database. There are two users whose emails have the form XXX@whole.biz; what is the XXX portion of either of the two users? For example, if one of the users is email@example.com, the right answer is jackie. (The answer is case-sensitive.)
Answer: SSOid=YWRtaW46NWViZTIyOTRlY2QwZTBmMDhlYWI3NjkwZDJhNmVlNjk6TWFzdGVyIFN5c3RlbSBBZG1p%0AbmlzdHJhdG9yOkE%3D%0A; CartID=1416121184%3A2%3A4010.5%3A1000%3A1004
Question 7) What is the key of the cookie used for the cart?
Question 8) BadStore’s session cookie format is poorly designed because it is uses a predictable structure. In particular, it is an encoded string (with a URL-encoded newline at the end) of the form XXX:YYY:ZZZ:U. What are the XXX, YYY, and ZZZ portions of this string?
- e-mail address
- MDS hash of password
- user ID
Question 9) BadStore’s cart cookie is also an encoded string with a predictable structure XXX:YYY:… etc., and it probably contains information it shouldn’t. Which field of the decoded string could an attacker change to give himself a discount on an item’s price?