Web Attacks and Network Security Lecture Quiz

Questions and Answers

What is the purpose of using session tokens in web authentication?

To associate requests with an authenticated user without the need to re-enter username and password.

What risk is associated with an attacker stealing a session token?

The attacker can log in as the legitimate user.

How can servers and browsers mitigate the risk of session token theft?

Servers should generate session tokens randomly and securely, while browsers should enforce isolation with cookie and same-origin policies.

What attributes should the server set for the session token to enhance security?

Domain, Path, Secure, HttpOnly, and Expires.

What is the purpose of the 'Expires' attribute for a session token?

To set the expiration time for the cookie, typically when the session times out.

What is Cross-Site Request Forgery (CSRF) and how does it work?

CSRF is an attack that exploits cookie-based authentication to trick victims into making unintended requests, which are automatically attached with relevant cookies.

What is the main idea behind using cookies in web authentication?

To automatically send information in a request to associate the request with an authenticated user.

How does the browser ensure that session tokens are not sent to the wrong websites?

By enforcing the cookie policy and same-origin policy.

What is the purpose of the 'HttpOnly' attribute for a session token?

To restrict JavaScript access to the session token.

Why is it important for servers to set the 'Secure' attribute for session tokens?

To ensure that the cookie is only sent over secure HTTPS connections.

What is the purpose of the Secure attribute in a cookie?

To ensure that the browser only sends the cookie if the request is made over HTTPS (not HTTP)

Explain the impact of setting the HttpOnly attribute to True in a cookie.

Setting the HttpOnly attribute to True restricts JavaScript in the browser from accessing the cookie.

What does the domain attribute in a cookie define?

The domain attribute defines which requests the browser should attach the cookie for if it is a domain suffix of the server's domain.

How is a session defined in the context of web attacks?

A session is a sequence of requests and responses associated with the same authenticated user.

What is the purpose of the Expires attribute in a cookie?

The Expires attribute defines when the cookie is no longer valid.

Explain the concept of Cross-Site Request Forgery (CSRF).

Cross-Site Request Forgery (CSRF) involves an attacker making unauthorized requests on behalf of a user to a different site where the user is authenticated.

What is the purpose of a CAPTCHA in web security?

A CAPTCHA is used to distinguish between human users and automated bots, enhancing security against automated attacks.

How does the browser decide which cookie to attach to a request?

The browser attaches a cookie on a request if the domain attribute is a domain suffix of the server’s domain, and the path attribute is a prefix of the server’s path.

What are the typical attributes of a cookie?

The typical attributes of a cookie include name, value, domain, path, secure, HttpOnly, and expires.

Why is it important to have a cookie policy?

A cookie policy is important to provide guidelines on how cookies are used, stored, and managed to ensure user privacy and security.