Which of the following should be used to construct a "remember me" token?

20 bytes of random data from /dev/urandom stored via a hash (e.g. SHA-1)

A hash (e.g. SHA-1) of user's username, password and a salt concatenated

20 bytes of random data from /dev/urandom

Your application communicates with a third-party JSON API over the Internet. The API is accessed using an HTTPS connection, which is based on a self-signed certificate. Is the communication between your application and the API secure?

Yes, if the third-party certificate can be securely imported into your application

No, it is not possible with self-signed certificates

Yes, because HTTPS is being used.

No, because HTTPS/Self-signed are not compatible.

You concatenate and hash two inputs, input1 and input2, with SHA-256 algorithm. Is it possible that the order of the inputs fed to the SHA-256 function may have a direct effect regarding security of the hashing? sha256(input1 . input2) vs. sha256(input2 . input1)

No, security-wise it does not make a difference with SHA-256

Week 13b

Quiz

•

Computers

•

University

•

Practice Problem

•

Hard

A Moreno

Used 12+ times

FREE Resource

10 questions

Show all answers

MULTIPLE CHOICE QUESTION

1 min • 1 pt

Your application sets a cookie with Secure attribute. What does this mean?

The cookie can not be accessed by JavaScript

The cookie will not be sent cross-domain

Client will send the cookie only over an HTTPS connection

none of these

MULTIPLE CHOICE QUESTION

1 min • 1 pt

The session ID must be renewed after...

A short idle period (ie. 30 seconds)

When a new window is created

Any privilege level change

A client logs in

MULTIPLE CHOICE QUESTION

1 min • 1 pt

Your web server supports secure (HTTPS) connections. By design, which of the following is the best way to make sure a client will not accidentally request a page over non-secure HTTP connection?

Completely close port 80

Use HTTP Strict-Transport-Security

Redirect all requests for port 80 to port 443

disable port 433

MULTIPLE CHOICE QUESTION

1 min • 1 pt

Your application performs logging queries after certain events. Timestamp, IP address, POST payload and a type of action will be saved to a MySQL database. Is it possible for an adversary to bypass this logging query by sending specifically crafted POST payload?

No, if escaping is used (ie. mysql_real_escape_string() function in PHP)

Yes, further validation is needed on the input data

No, if the SQL query is performed using a prepared statement with correctly set character encoding

Yes, because posts are generally associated with malicious payloads

MULTIPLE CHOICE QUESTION

1 min • 1 pt

You use a 104-bit, cryptographically strong, random number (hexadecimal encoded, for example) as your password on a web site which stores passwords as plain MD5 hashes: md5 (password). Is it safe to assume your password will be safe if the user database leaks?

Yes

No, because of the broken collision resistance of MD5

maybe...?

No, because of the lack of salting and stretching

MULTIPLE CHOICE QUESTION

1 min • 1 pt

You are running Apache + PHP server. PHP runs as an Apache module:
AddHandler php5-script .php
You allow users to upload avatar images (in PNG format). Avatar filename is allowed to contain characters: "a-z0-9.-".
Is it safe to assume you are secure against PHP code execution launched via uploaded files?

Yes, if I make sure the filename ends with .png extension

occassionally

No, further configuration is needed on the server-side

Yes, if I reject files that do not pass getimagesize()

MULTIPLE CHOICE QUESTION

1 min • 1 pt

Your PHP application reads user submitted XML documents using DOM. You fetch certain element values from the XML:
$doc = new DOMDocument();
$doc->loadXML($xml);
$params = $doc->getElementsByTagName('parameters');
You display some of those parameters on the user's account settings page. Is it possible to exploit this scenario with a maliciously crafted XML document?

yes

No, if I make sure the user submitted XML is well-formed

maybe?

No, if I escape the data before displaying on the account page

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

10 questions

Creating tables in HTML

Quiz

•

University

15 questions

Chapter 8 - Memory Management Strategies

Quiz

•

University

10 questions

Website Usability and UX

Quiz

•

University

10 questions

Quiz - CSE

Quiz

•

University

10 questions

Hands-on Modul 3

Quiz

•

University

10 questions

Visual Basic 2010

Quiz

•

8th Grade - University

10 questions

CS100||MsWord

Quiz

•

University

11 questions

Types of Mass Media

Quiz

•

10th Grade - Professi...

Popular Resources on Wayground

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

$fractions$

22 questions

fractions

Quiz

•

3rd Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

20 questions

Context Clues

Quiz

•

6th Grade

15 questions

Equivalent Fractions

Quiz

•

4th Grade

20 questions

Figurative Language Review

Quiz

•

6th Grade

Discover more resources for Computers

30 questions

Quiz 1 Review

Quiz

•

University

Week 13b

10 questions

Your application sets a cookie with Secure attribute. What does this mean?

The session ID must be renewed after...

Your web server supports secure (HTTPS) connections. By design, which of the following is the best way to make sure a client will not accidentally request a page over non-secure HTTP connection?

Your application performs logging queries after certain events. Timestamp, IP address, POST payload and a type of action will be saved to a MySQL database. Is it possible for an adversary to bypass this logging query by sending specifically crafted POST payload?

You use a 104-bit, cryptographically strong, random number (hexadecimal encoded, for example) as your password on a web site which stores passwords as plain MD5 hashes: md5 (password). Is it safe to assume your password will be safe if the user database leaks?

Which of the following should be used to construct a "remember me" token?

Your application communicates with a third-party JSON API over the Internet. The API is accessed using an HTTPS connection, which is based on a self-signed certificate. Is the communication between your application and the API secure?

You concatenate and hash two inputs, input1 and input2, with SHA-256 algorithm. Is it possible that the order of the inputs fed to the SHA-256 function may have a direct effect regarding security of the hashing?sha256(input1 . input2)vs.sha256(input2 . input1)

Access all questions and much more by creating a free account

Similar Resources on Wayground

Popular Resources on Wayground

Discover more resources for Computers

You concatenate and hash two inputs, input1 and input2, with SHA-256 algorithm. Is it possible that the order of the inputs fed to the SHA-256 function may have a direct effect regarding security of the hashing?
sha256(input1 . input2)
vs.
sha256(input2 . input1)