WAS621S - WEB APPLICATION SECURITY - 2ND OPP SUPL - JAN 2023


WAS621S - WEB APPLICATION SECURITY - 2ND OPP SUPL - JAN 2023



1 Pages 1-10

▲back to top


1.1 Page 1

▲back to top


nAm I BIA un IVERSITY
OF SCIEnCE TECHnOLOGY
Faculty of Computing and Informatics
Department of Computer Science
QUALIFICATION: Bachelor of Computer Science in Cyber Security
QUALIFICATION CODE: 07BCCS
COURSE: Web Application Security
DATE: January 2023
DURATION: 2 hours
LEVEL: 6
COURSE CODE: WAS6215
PAPER: THEORY
MARKS: 80
SUPPLEMENTARY /SECOND OPPORTUNITY EXAMINATION QUESTION PAPER
EXAMINER(S)
MR EDWARD NEPOLO
MODERATOR:
DR MERCY CHITAURO
THIS QUESTIONPAPERCONSISTSOF 7 PAGES
(Including this front page)
INSTRUCTIONS
1. Answer ALL the questions.
2. Write clearly and neatly.
3. Number the answers clearly.
4. When answering questions, you should be guided by the allocation
of marks. Do not give too few or too many facts in your answers.
PERMISSIBLEMATERIALS
1. Non-programmable calculator

1.2 Page 2

▲back to top


1.3 Page 3

▲back to top


Section A
[12 Marks]
1. What's the difference between persistent and non-persistent XSSattacks?
i. Persistent attack only affects one user.
ii. Non-persistent attacks, the script is stored on the application's database.
iii. Persistent attacks, the script is stored on the application's database.
iv. The difference between persistent and non-persistent XSSattack is that in persistent attack
both the user and the server are targets, while in persistent attacks only the user is a target.
2. What information is the attacker hoping to steal in a XSSattack?
i. HTTPSocket layer information
ii. CSRFToken information
iii. Session ID through cookies
iv. Session ID through tokens
3. Which attack is a user vulnerable to when HTTPStrict-Transport Security is not enabled?
i. Session Hijacking
ii. Page-In-The-Middle Attack
iii. SSLStripping
iv. Session Fixation
4. During an XSSattack, which platform is relied upon to execute a script on the client side?
i. DOM Environment
ii. XML
iii. AJAX
iv. JavaScript
5. Which platform is suitable for making partial server requests?
i. XMLHttpRequest
ii. AJAX
iii. XML
iv. JavaScript
6. If XSSattacks rely on client-side code execution, why don't we simply switch to server-side code
execution?
i. Client-side code execution offers better round-trip time performance
ii. No, XSSdoes not rely on client-side code execution.
iii. Server-side code execution cannot execute client-side requests.
2

1.4 Page 4

▲back to top


1.5 Page 5

▲back to top


iv. Server-side execution does not accessthe cookies that are targeted by XSSattack.
7. If persistent XSSattacks rely on user input points stored on the client side, why don't we use data
input on server side?
i. The server does not allow data input from server side.
ii. The server does not allow user input on client side.
iii. No, persistent XSSattacks do not rely on user input points stored on the client side.
iv. Data input on server side will increase communication delay.
8. What are some common types of attacks that can be launched against a web application? Choose
two.
i. loT Botnets
ii. SQL Injection Attacks
iii. DNSAttacks
iv. Cross-Site Scripting Attacks
v. Encryption Attacks
9. Jason Web Tokens are standards for sharing security information. What information is provided in
the payload? Choose two.
i. Subject
ii. Algorithm
iii. Application
iv. Claim
10. Select an authentication process that allows users to access multiple applications using one set
of login credentials.
i. Multifactor Authentication
ii. Two Factor Authentication
iii. Single Sign-On
iv. Two Factor Verification
3

1.6 Page 6

▲back to top


1.7 Page 7

▲back to top


Section B
Question 1
1.1 How does Cross-Site Scripting attack work?
[42 Marks]
[4 Marks]
1.2 Explain the difference between Cross-SiteScripting and Cross-Site Request Forgery. [4 Marks]
1.3 SSLStripping is one of the attacks targeted at web applications. Explain how an SSLStripping
attack works.
[4 Marks]
1.4 Mention and explain one technology used to mitigate SSLStripping attacks.
[4 Marks]
1.5 What's the biggest risk when using cookies to store session information?
[4 Marks]
4

1.8 Page 8

▲back to top


1.9 Page 9

▲back to top


1.6 Mention and explain two measures that can be used to counter buffer overflow attacks?
[4 Marks]
1.7 Mention two attributes that are configured on session cookies, what the attributes imply.
[4 Marks]
1.8 Name and explain 3 security measures can be put in place to ensure that cookies are secured
during communication.
[6 Marks]
1.9 Name and explain three SQLInjection attack modes.
[6 Marks]
2.0 How does one defend against Cross-Site Request Forgery?
[2 Marks]
5

1.10 Page 10

▲back to top


2 Pages 11-20

▲back to top


2.1 Page 11

▲back to top


Question 2
[16 Marks]
2.1 What is password proliferation, and what technologies are available to address password
proliferation?
[4 Marks]
2.2 The are three elements that single sign-on depends on, explain the flow of single sign-on.
[6 Marks]
2.3 What is SAML Assertion?
[2 Marks]
2.4 Mention and explain two types of cookies used in session management?
[4 Marks]
Question 3
3.1 Mention five ways in which you would mitigate against SQLInjections.
[10 marks]
[S Marks]
6

2.2 Page 12

▲back to top


2.3 Page 13

▲back to top


3.2 Name and explain the type of Man-In-The-Middle attack that can take place if HTTPStrict-
Transport Security is not enabled?
[5 Marks]
- END OF EXAMINATION PAPER-
7

2.4 Page 14

▲back to top


nmniBIFI
Urt!VERS!TY
iJF s1;,enr.E Ano
T!:C!J.;-JOU)GY
P/Bag13388I
Windhoek
NAMIBIA
2022-10-18