Web Security Which prevents JavaScript code running on badsite.com from reading

Question

Web Security

Which prevents JavaScript code running on badsite.com from reading the session cookie for amazon.com?

the certificate authority

the Secure flag

the P3P privacy policy

the HttpOnly flag

the same origin policy

Which prevents JavaScript code successfully injected by an attacker into a page on amazon.com from reading the session cookie for amazon.com? a. the certificate authority

the Secure flag

the P3P privacy policy

the HttpOnly flag

the same origin policy

Suppose a web server needs to distinguish a legitimate form submission generated by a user’s explicit action from a fraudulent one initiated by a third-party, malicious site. Validating which of the following would be the least effective in performing this task?

that the Cookie header contains the correct session cookie

that the correct CAPTCHA was submitted

that the referrer points to a trusted server

that the submitted password is correct

that the submitted anti-CSRF token is correct

Which of the following techniques for preventing an attacker from injecting unwanted JavaScript into a response would be the least effective?

replacing <, >, ", and ’ with &lt;, &gt;, &quot;, and &apos;, respectively.

replacing all non-alphanumeric characters by their HTML-entity equivalents

removing each string in the original input matching the regular expressions <script[ˆ>]*> and </script[ˆ>]*>

using a Content-Security-Policy that disallows inline JavaScript

using the innerText property, rather than innerHTML, to dynamically modify the DOM

Detour is a town in Carroll County, Maryland. To avoid confusion, traffic engineers place signs directing motorists to Detour or labeling roads named Detour on a green background, while construction-related detours requiring drivers to divert from their usual route are shown on a sign with an orange background. Which technical solution and problem are analogous?

replacing < with &lt;, so that a browser will not confuse < with the start of an HTML tag

replacing a JavaScript identifier named for with _for, to prevent the parser from confusing the identifier with the for keyword

commenting code whenever other developers are likely to be confused by a particular statement or design

using _3d for a JavaScript identifier rather than 3d, since JavaScript will not allow an identi-

fier to start with a digit

using SQL parameterized queries to pass input data separately from the query, so that data will not be confused with code

Problem Solving

log

10x

÷

7

8

9

×

4

5

6

-

1

2

3

+

0

.

+/-

=

Using the calculator above, how would you compute 7.0962.1018, if possible?

_________________________________________________________________________

Using the calculator above, how would you compute 18, if possible?

_________________________________________________________________________

Using the calculator above, how would you compute ln3, if possible?

__________________________________________________________________________

Using the calculator above, how would you compute sin63. 24°, if possible?

_________________________________________________________________________

log

10x

÷

7

8

9

×

4

5

6

-

1

2

3

+

0

.

+/-

=

Explanation / Answer

Which prevents JavaScript code running on badsite.com from reading the session cookie for amazon.com?
Answer: The same origin policy. With this policy activated a website cannot read other website's session cookie.

Which prevents JavaScript code successfully injected by an attacker into a page on amazon.com from reading the session cookie for amazon.com?
Answer: The HttpOnly flag. With HttpOnly flag set, client side can not read cookie.

Suppose a web server needs to distinguish a legitimate form submission generated by a user’s explicit action from a fraudulent one initiated by a third-party, malicious site. Validating which of the following would be the least effective in performing this task?
Answer: That the submitted anti-CSRF token is correct. Anti-CSRF tokens are associated with forms to nullify Cross-Site Request Forgery.

Which of the following techniques for preventing an attacker from injecting unwanted JavaScript into a response would be the least effective?
Answer: Using a Content-Security-Policy that disallows inline JavaScript

Detour is a town in Carroll County, Maryland. To avoid confusion, traffic engineers place signs directing motorists to Detour or labeling roads named Detour on a green background, while construction-related detours requiring drivers to divert from their usual route are shown on a sign with an orange background. Which technical solution and problem are analogous?
Answer: Using _3d for a JavaScript identifier rather than 3d, since JavaScript will not allow an identifier to start with a digit. This is similar with the above situaltion.

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.