CS 4337 Final Exam Review ACTUAL
QUESTIONS AND CORRECT ANSWERS
HTML/JavaScript are the primary languages targeted by cross-site scripting attacks. - CORRECT
ANSWER True
The Same Origin Policy prevents XSS attacks if a browser implements it correctly. - CORRECT
ANSWER False
Return-oriented programming may exploit a stack buffer overflow. - CORRECT
ANSWER True
Which statement is wrong about orchestrating gadgets in return-oriented programming: - CORRECT
ANSWER Some gadgets can be injected onto the stack.
Control flow integrity (CFI) is provided by the compiler and adds instrumentation into the binary
during compile time. - CORRECT ANSWER True
In Control Flow Integrity (CFI), an in-line reference monitor is a rewriting of the program by inserting
instructions to check whether the CFI property is maintained. - CORRECT ANSWER True
Control flow integrity cannot be defeated by modifying the code labels to allow the desired control
flow. - CORRECT ANSWER True
It determines what resources a class can access such as reading and writing to the local disk. -
CORRECT ANSWER Security Manager
The server can trust cookie values in HTTP requests to be untampered since the cookies are set by the
server. - CORRECT ANSWER False
Which of the following is not a Java feature? - CORRECT ANSWER Use of pointers
, Which of the following is wrong about Java Byte Code Verifier? - CORRECT
ANSWER Checks that the computer resources are available
In return-oriented programming, a return from a hijacked function can not be controlled by the
hijacker. - CORRECT ANSWER False
Which of the following option leads to the portability and security of Java? - CORRECT
ANSWER Bytecode is executed by JVM
Reflected XSS occurs when an attacker gets a victim to send a request with malicious input to a server
which includes the unsanitized input in the HTML output it produces. - CORRECT
ANSWER True
How can a stack buffer overflow hijack the control flow of the program? - CORRECT
ANSWER - Overwriting the return address on the stack
- Overwriting a function pointer on the stack
(All of the above)
An attack on a website that stores and displays text to a user is known as _______ attack. -
CORRECT ANSWER XSS attack
Which element of Java sandbox associates permission with a particular code source? - CORRECT
ANSWER Protection Domain
An attacker of return-oriented programming may overflow the buffer by - CORRECT
ANSWER appending one or more fake calling frames
One common strategy to prevent XSS vulnerabilities is to (choose the best answer): - CORRECT
ANSWER Escape the user's input is valid as soon as possible.
Which of the following checks the code fragments for illegal code that can violate access right to
objects? - CORRECT ANSWER Bytecode Verifier
QUESTIONS AND CORRECT ANSWERS
HTML/JavaScript are the primary languages targeted by cross-site scripting attacks. - CORRECT
ANSWER True
The Same Origin Policy prevents XSS attacks if a browser implements it correctly. - CORRECT
ANSWER False
Return-oriented programming may exploit a stack buffer overflow. - CORRECT
ANSWER True
Which statement is wrong about orchestrating gadgets in return-oriented programming: - CORRECT
ANSWER Some gadgets can be injected onto the stack.
Control flow integrity (CFI) is provided by the compiler and adds instrumentation into the binary
during compile time. - CORRECT ANSWER True
In Control Flow Integrity (CFI), an in-line reference monitor is a rewriting of the program by inserting
instructions to check whether the CFI property is maintained. - CORRECT ANSWER True
Control flow integrity cannot be defeated by modifying the code labels to allow the desired control
flow. - CORRECT ANSWER True
It determines what resources a class can access such as reading and writing to the local disk. -
CORRECT ANSWER Security Manager
The server can trust cookie values in HTTP requests to be untampered since the cookies are set by the
server. - CORRECT ANSWER False
Which of the following is not a Java feature? - CORRECT ANSWER Use of pointers
, Which of the following is wrong about Java Byte Code Verifier? - CORRECT
ANSWER Checks that the computer resources are available
In return-oriented programming, a return from a hijacked function can not be controlled by the
hijacker. - CORRECT ANSWER False
Which of the following option leads to the portability and security of Java? - CORRECT
ANSWER Bytecode is executed by JVM
Reflected XSS occurs when an attacker gets a victim to send a request with malicious input to a server
which includes the unsanitized input in the HTML output it produces. - CORRECT
ANSWER True
How can a stack buffer overflow hijack the control flow of the program? - CORRECT
ANSWER - Overwriting the return address on the stack
- Overwriting a function pointer on the stack
(All of the above)
An attack on a website that stores and displays text to a user is known as _______ attack. -
CORRECT ANSWER XSS attack
Which element of Java sandbox associates permission with a particular code source? - CORRECT
ANSWER Protection Domain
An attacker of return-oriented programming may overflow the buffer by - CORRECT
ANSWER appending one or more fake calling frames
One common strategy to prevent XSS vulnerabilities is to (choose the best answer): - CORRECT
ANSWER Escape the user's input is valid as soon as possible.
Which of the following checks the code fragments for illegal code that can violate access right to
objects? - CORRECT ANSWER Bytecode Verifier
