WWW and mobile security summary questions

Questions are randomized per student, and you will only receive correct/incorrect feedback for them. In Problem 1, each question has exactly one correct option.

In Problem 2, each student will get at least one correct option, usually more. Problem 2 is accepted when the score is 12 or higher, and points are shown with a yellow background. Unfortunately, Plussa gives “incorrect” feedback for partially correct answers. However, Problem 2 is considered passed if the score is 12 or more. From the score alone, you cannot directly infer whether an individual choice was correct or not. Points start accumulating only after more than half of the choices in the problem are correct.

Question 1

X.509 certificate

establishes an HTTPS connection.

authenticates the certificate authority to the server.

can be used for both client and server authentication.

is proof of the security of the service.

Question 2

In form-based HTTP authentication

GET requests are used.

data is transmitted in plaintext if HTTPS is not used.

no additional security is needed, unlike in basic HTTP authentication.

the login form integrated into the browser is used.

Question 3

A cookie

does not contain sensitive data.

is deleted when the session ends.

can enable session token hijacking.

reduces the usability of a service.

Question 4

A drive-by-download attack

is important in clickjacking attacks.

spreads vulnerable software components.

is easy to detect.

installs malware on the user’s computer.

Question 5

In a smudge attack

passwords are looked at over the user’s shoulder.

malicious code is injected into an application.

greasy fingers are important.

the main page of a website is stained.

Question 6

JavaScript

is a conceptual problem.

enables many security issues.

can be disabled without usability problems.

is problematic because its execution contexts are poorly isolated.

Question 7

Content Security Policy improves security

against clickjacking attacks.

because it prevents the execution of malicious scripts in the browser.

because it allows limiting the number of sources the browser considers trusted.

by sandboxing webpage processes.

Question 8

Validation of user input

is necessary also in mobile applications.

is unnecessary when an HTTPS connection is used.

is important for preserving confidentiality.

may prevent the use of the application’s storage.

Select the correct statements. You may choose one or several options.

Question 1

To mitigate injection attacks, input sanitization and access control are important.

Input sanitization requires strict access-control policies.

In client-side attacks, attackers exploit e.g. interaction problems and client-side data storage.

Countermeasures against phishing should be purely technical.

In Android, leakage of sensitive data to the SD card is prevented.

Appification refers to the shift from web-based platforms to applications.

A URL’s syntax always includes at least a DNS name, a resource address, and user information.

HTML and CSS establish an HTTPS connection.

There is no malware in app stores.

HTTP and HTTPS are fundamental protocols in web and mobile ecosystems.

HTTPS creates a secure web connection using public key infrastructure.

Posting submission...