TU Wien:Introduction to Security VU (Maffei)/Prüfung 2023-05-09
Allgemein[Bearbeiten | Quelltext bearbeiten]
Test bestand aus 13 Fragen, alle bis auf eine mit 1 Punkt, 2 Punkte = 25 Punkte
Pro richtig angekreuzt: +0.5 Pkt
Pro falsch angekreuzt: -0.5 Pkt
Pro Frage Min: 0, Max: 2 (bis auf eine: 1)
1. Which of the following combination of authentication method can be used to implement a 2-factor authentication? (yes / no)[Bearbeiten | Quelltext bearbeiten]
- One time password (TAN) generated by an authenticator app and face recognition.
- Password and hardware token
- Fingerprint and hardware token.
- Smartcard and one time password sent via SMS (mTAN).
2. What are the advantages provided by the usage of password salting? (true / false)[Bearbeiten | Quelltext bearbeiten]
- It makes it harder to carry out an online brute-force attack against the login from of a website.
- It reduces the usefulness of rainbow tables for cracking password hashes.
- It hides the reuse of the same password by different users, in case the attacker gets access to the file with the password hashes.
- It considerably slows down (e.g., by a factor of 1000) the time required to perform a brute-force attack against a single password hash.
3. Consider the following program written in C: (true / false)[Bearbeiten | Quelltext bearbeiten]
1 #include <stdlib.b> 2 #include <stdio.h> 3 4 int valid_nickname_length() { 5 char nickname[16]; 6 gets(nickname); 7 if(strlen(nickname) <= 16) { 8 return 1; 9 } else { 10 return 0; 11 } 12 } 13 14 int main() { 15 if(valid_nickname_length()) { 16 printf("Length of the nickname is fine!\n"); 17 }; 18 19 return 0; 20 }
Recall that the function gets reads all data from the standard input until the first newline and stores the read data, followed by a NULL terminator, in the buffer provided as parameter. The newline (if present) is not stored in the buffer. Which of the following statements are true?
- The code can be fixed by replacing the operator <= with < on line 7.
- The input ABCDEABCDEABCDEA (16 characters) causes a buffer overfiow.
- The code can be fixed by truncating the content of nickname after the call to gets, e.g., by adding the instruction nickname [15] = '\0'; after line 6.
- The size of the array nickname should be larger to prevent memory corruption vulnerabilities
4. Which of the following design choices should be adopted when designing, implementing or deploying an IT system? (true / false)[Bearbeiten | Quelltext bearbeiten]
- A server should not expose to the Internet services that are meant to be accessed only by employees of the organization from the internal network.
- If possible, systems should deploy redundant security mechanisms to reduce the likelihood of successful exploitation by attackers.
- A system should use only cryptographic algorithms whose inner workings are not publicly known, in order to prevent attackers from using well-known vulnerabilities to attack them.
- Web applications should be configured in such a way that they do not reveal debugging information when errors arise while processing an incoming request.
5. Assume the following permissions for the standard cat binary, as displayed by the command ls: (true / false)[Bearbeiten | Quelltext bearbeiten]
-rwsr-xr-- 1 root users 43432 Aug 7 2023 /bin/cat
Assume also the existence of the following file secrets.txt, owned by the user niklas, who is not a member of the group users:
-rw-r----- 1 niklas niklas 7 Sep 21 4:20 secrets.txt
Which of the following statements are true?
- Only root can change the permissions assigned to the file secrets.txt.
- The user niklas, who is not a member of the group users, cannot execute the cat binary.
- The user ilya, member of the group users, can execute the binary cat to read the file secrets.txt
- The permissions allow members of the group users to read sensitive files in the system, such as /etc/shadow where password hashes of the users are stored.
6. Which of the following statements about memory protection techniques are correct? (true / false)[Bearbeiten | Quelltext bearbeiten]
- W^X/DEP mitigates return-to-libc attacks, but it is not effective against ROP
- ASLR mitigates buffer overflows by making the payload length (e.g., the number of bytes required to reach the saved return address) hard to guess.
- Canaries are not effective against the overwrite of pointers in the same stack frame where the overflow takes place.
- W^X/DEP is effective against attacks in which the payload provided by attacker is stored on some buffer on the stack and then executed.
7. Which of the following web attacks are classified as client-side attacks? (1 Point, true / false)[Bearbeiten | Quelltext bearbeiten]
- Command injection
- Cross-site request forgery (CSRF)
- Stored cross-site scripting
- Reflected cross-site scripting
8. The cookie jar of a browser contains the following cookies: (sent / not sent)[Bearbeiten | Quelltext bearbeiten]
Name | Value | Domain attribute | Path | Secure | HttpOnly | Domain that set the cookie | SameSite |
---|---|---|---|---|---|---|---|
sid | xyz123 | not set | / | yes | yes | example.com | Lax |
adm | gbf4sY | not set | /admin | yes | yes | www.example.com | Strict |
lang | en | example.com | / | yes | no | prefs.example.com | None |
bad | badbad | not set | / | no | no | evil.com | Lax |
Which cookies are attached to a request to https://mail.example.com/, assuming that the request is generated by clicking on a link on the page https://www.example.com/admin/ (i.e. the request causes a top-level navigation)?
- sid
- adm
- lang
- bad
9. The page at https://example.com/file.php contains a script that performs a request towards a certain URL (e.g., using the JavaScript function fetch) and tries to access programmatically the contents of the response. For which of the URLs below would this operation succeed? Unless differntly specified, the response does not contain any Access-Control-Allow-Origin behaviour. (success / failure)[Bearbeiten | Quelltext bearbeiten]
- https://example.com/search.php?q=text
- http://example.com/api/list.php
- https://maps.google.com/maps/api/ and the response contains the HTTP header Access-Control-Allow-Origin: *
- https://sub.example.com/stats.php
10. Consider the following PHP code: (true / false)[Bearbeiten | Quelltext bearbeiten]
1 <?php 2 $db = new PDO(CONNECTION_STRING, DB_USER, DB_PASS); 3 4 $query = "SELECT name, phone_number FROM users WHERE STRPOS(name, ?) > 0"; 5 6 $sth = $db->prepare($query); 7 $sth->bindValue(1, $_POST["search"]); 8 $sth->execute(); 9 10 echo "Results for " . $_POST["search"]; 11 12 foreach ($sth as $row) { 13 echo "Name: " . $row["name"]; 14 echo "Phone number: " . $row["phone_number"]; 15 } 15 ?>
Which of the following statements are true?
- The code is vulnerable to SQL injections.
- The code is vulnerable to path traversal attacks.
- The code is vulnerable to reflected XSS.
- The code is vulnerable to DOM-based XSS.
11. Which of the following statements about CSRF attacks and defenses hold? Assume that the application to be protected is not vulnerable to injections of any kind (e.g. XSS), unless stated otherwise. (true / false)[Bearbeiten | Quelltext bearbeiten]
- If a site sets the SameSite attribute for all its cookies to Strict, it does not need to implement further protections against CSRF attacks.
- Defenses based on the validation of the Referer header can be voided if the target website is vulnerable to XSS attacks, since the attacker can use the injected script to perform same-origin requests to the endpoint of interest.
- CSFR attacks can be executed only against endpoints that process GET requests, where the parameters chosen by the attacker are provided via the query string of the endpoint's URL.
- The Content Security Policy (CSP) can be used to prevent CSRF attacks.