Web Security
Which prevents JavaScript code running on badsite.com from reading the session cookie for amazon.com?
the certificate authority
the Secure flag
the P3P privacy policy
the HttpOnly flag
the same origin policy
Which prevents JavaScript code successfully injected by an attacker into a page on amazon.com from reading the session cookie for amazon.com? a. the certificate authority
the Secure flag
the P3P privacy policy
the HttpOnly flag
the same origin policy
Suppose a web server needs to distinguish a legitimate form submission generated by a user’s explicit action from a fraudulent one initiated by a third-party, malicious site. Validating which of the following would be the least effective in performing this task?
that the Cookie header contains the correct session cookie
that the correct CAPTCHA was submitted
that the referrer points to a trusted server
that the submitted password is correct
that the submitted anti-CSRF token is correct
Which of the following techniques for preventing an attacker from injecting unwanted JavaScript into a response would be the least effective?
replacing <,>, ", and ’ with <,>, ", and ', respectively.
replacing all non-alphanumeric characters by their HTML-entity equivalents
removing each string in the original input matching the regular expressions ]*> and ]*>
using a Content-Security-Policy that disallows inline JavaScript
using the innerText property, rather than innerHTML, to dynamically modify the DOM
Detour is a town in Carroll County, Maryland. To avoid confusion, traffic engineers place signs directing motorists to Detour or labeling roads named Detour on a green background, while construction-related detours requiring drivers to divert from their usual route are shown on a sign with an orange background. Which technical solution and problem are analogous?
replacing <><,=""><>
replacing a JavaScript identifier named for with _for, to prevent the parser from confusing the identifier with the for keyword
commenting code whenever other developers are likely to be confused by a particular statement or design
using _3d for a JavaScript identifier rather than 3d, since JavaScript will not allow an identi-
fier to start with a digit
using SQL parameterized queries to pass input data separately from the query, so that data will not be confused with code
Problem Solving
√
|
|
log
|
|
10x
|
|
÷
|
7
|
|
8
|
|
9
|
|
×
|
4
|
|
5
|
|
6
|
|
-
|
1
|
|
2
|
|
3
|
|
+
|
0
|
|
.
|
|
+/-
|
|
=
|
|
Using the calculator above, how would you compute 7.0962.1018, if possible?
Using the calculator above, how would you compute 18, if possible?
Using the calculator above, how would you compute ln3, if possible?
Using the calculator above, how would you compute sin63. 24°, if possible?