a. Cross Site Request Forgery (CSRF) attacks against web sites that rely solely on cookies for...
Fantastic news! We've Found the answer you've been seeking!
Question:
Transcribed Image Text:
a. Cross Site Request Forgery (CSRF) attacks against web sites that rely solely on cookies for session management. Briefly explain a CSRF attack on such a site. b. A common CSRF defense places a token in the DOM of every page (e.g., as a hidden form element) in addition to the cookie. An HTTP request is accepted by the server only if it contains both a valid HTTP cookie header and a valid token in the POST parameters. Why does this prevent the attack from part (a)? c. One approach to choosing a CSRF token is to choose one at random. Suppose a web server chooses the token as a fresh random string for every HTTP response. The server checks that this random string is present in the next HTTP request for that session. Does this prevent CSRF attacks? If so, explain why. If not, describe an attack. d. Another approach is to choose the token as a fixed random string chosen by the server. That is, the same random string is used as the CSRF token in all HTTP responses from the server over a given time period. Does this prevent CSRF attacks? If so, explain why. If not, describe an attack. e. Why is the Same-Origin Policy important for the cookie-plus-token defense? a. Cross Site Request Forgery (CSRF) attacks against web sites that rely solely on cookies for session management. Briefly explain a CSRF attack on such a site. b. A common CSRF defense places a token in the DOM of every page (e.g., as a hidden form element) in addition to the cookie. An HTTP request is accepted by the server only if it contains both a valid HTTP cookie header and a valid token in the POST parameters. Why does this prevent the attack from part (a)? c. One approach to choosing a CSRF token is to choose one at random. Suppose a web server chooses the token as a fresh random string for every HTTP response. The server checks that this random string is present in the next HTTP request for that session. Does this prevent CSRF attacks? If so, explain why. If not, describe an attack. d. Another approach is to choose the token as a fixed random string chosen by the server. That is, the same random string is used as the CSRF token in all HTTP responses from the server over a given time period. Does this prevent CSRF attacks? If so, explain why. If not, describe an attack. e. Why is the Same-Origin Policy important for the cookie-plus-token defense?
Expert Answer:
Answer rating: 100% (QA)
a In a CSRF attack against a site relying solely on cookies for session management an attacker tricks a users browser into making an unintended and ma... View the full answer
Related Book For
Principles Of Information Security
ISBN: 9780357506431
7th Edition
Authors: Michael E. Whitman, Herbert J. Mattord
Posted Date:
Students also viewed these accounting questions
-
Planning is one of the most important management functions in any business. A front office managers first step in planning should involve determine the departments goals. Planning also includes...
-
Googles ease of use and superior search results have propelled the search engine to its num- ber one status, ousting the early dominance of competitors such as WebCrawler and Infos- eek. Even later...
-
Assume FCFs are $2 million for two years (FCF1 and FCF2) and FCFs grow 3% thereafter. Assume WACC = 7%. Calculate firms value
-
Jackie Enterprises Ltd. has a tax rate of 30% and reported net income of $8.5 million in 2014. The following details are from Jackie's statement of financial position as at December 31, 2014, the end...
-
The following incorrect trial balance appeared in the books of Hidding Market on 30 April 2021. The business makes use of a manual bookkeeping system and is a registered VAT vendor and deals only...
-
The trial balance for TDR Systems, Inc., at July 15, 2010, follows: During the remainder of July, TDR Systems, Inc., completed the following transactions: Requirements 1. Journalize the transactions...
-
Carol Gorden was a good friend of yours in high school and is from your home town. While you chose to major in accounting when you both went away to college, she majored in marketing and management....
-
How is big data in healthcare different from other forms of health data such as electronic health records (EHRs)?
-
Using the STUDENT table structure shown in Table P6.4, do the following: a. Write the relational schema, draw its dependency diagram, and identify all dependencies, including all transitive...
-
On 1 July 20x2 AGLs Manufacturing Division entered into a contract with a finance company to sell a building at Sungei Kadut. The carrying value of the building of $19 m was sold for $22.5 m. The...
-
Evaluate the integral J 2x +3 x + x dx
-
How does the water crisis affect the environmentHow do humans impact the water crisisWhat is the water crisis?
-
Which of the tool is used to find when 80 percent of problem may be attributed by 20 percent of causes
-
1. Do you think women are more apt to seek professional help for their mental disorders than men? Why? 2. Would you agree that depression among men is often masked by drinking or drug problems? 3. Do...
-
How do the local electronic and printing advertisements apply in the real ground? What are the most accepted brand names? What are the good qualities and demerits of the brand?
-
what is hydrualic coefficent and explain value variation of this coefficent.
-
White Bolder Investments (WBI) You are an intern working for WBI, a large investment advisory services in Sydney. Among other regular customers, WBI has been providing advisory services for Jumbo...
-
Relate that dust particle buildups and debris inside systems can dramatically reduce the effectiveness and efficiency of the equipment. This often leads to unexpected shutdowns and overheating....
-
Compensating for weak or missing security mechanisms in the protection infrastructure, such as firewalls. Identification and authentication systems, link encryption systems, access control...
-
The piece of the system that manages access controls within TCB is an object known as which of the following? a. Covert channel b. Storage channel c. Reference monitor d. Standard
-
How does a business know when to create an invoice and when to create a sales receipt?
-
Why are cash receipts initially recorded as undeposited funds?
-
How does a firm account for a transfer of funds from one bank to another bank in QuickBooks Accountant?
Study smarter with the SolutionInn App