d. Would the following code running on https://attacker.com be allowed to print out the
contents of the students homepage, which include the currently logged-in user's grades?
Why or why not?
(6)
<script>
const res= await fetch('https://students.nust.na')
const data= await res.body.text()
console.log(dala) // Haha, gol your grades!
</script>
NOTE: https://students.nust.na does not send any special HTTP headers such as Access-
Control-Allow-Origin, which arc also known as "CORS" headers.
Question 2 [27 Marks]
(
2.l. Why is it a bad idea to include detailed error information (e.g. including a stack trace) in
the HTTP response when the server throws an exception? (5)
2.2. You are a penetration tester evaluating a client's website for security vulnerabilities. You
notice that their authentication system chooses sequential session IDs for users. Specifically,
the first user to log in to the site gets a session ID of l, the second user gets 2, the third user
gets 3, and so on. Describe an attack against this authentication system. (4)
2.3. Your friend has built a personal site hosted at https://nust.edu/clueless. They have built an
authentication system so certain pages of the site can only be accessed by authorized
individuals. Once a user logs in successfully, the server sends a response with a Set-Cookie
HTTP header to set a session Id cookie in the user's browser.
Set-Cookie: sessionld=l 234; Path=/clueless
Your friend is specifying the Path attribute on the cookie so that the cookie is scoped to the
path prefix /clueless. This means that the cookie will be sent when the user visits
(
https://nust.edu/clueless or https://nust.edu/clueless/secret but not when they visit
https://nust.edu/attacker.
Nonetheless, it turns out that https://nust.edu/attacker can read the sessionld cookie that was
scoped to your friend's site with the Path attribute.
Explain what the page at https://nust.edu/attacker could do to read the cookie. (6)
2.4. What cookie attribute (e.g., Secure, HttpOnly, Domain, SameSite) could your friend in 2.3
have specified when setting the cookie that would have prevented the attacker from
stealing the sessionld cookie? Justify your answer.
(4)
2.5. What's the biggest risk when using cookies to store session information? (4)
2.6. Differentiate between authentication and authorisation.
(4)
Page 4 of5