16. Web security: web basics

Question 1

How does hidden field session tracking work?

Answer 1

Web server sends hidden input field with session ID, when form is submitted web server is sent that session ID

Question 2

Whats the disadvantage of hidden field session tracking?

Answer 2

• Every form must have session ID (tedious)

- Session ends when page is closed

Question 3

How does cookie session tracking work?

Answer 3

Browser stores cookies and included them in all subsequent requests to the originating host

Question 4

What is the disadvantage of cookie for session tracking?

Answer 4

Can be disabled by user

Question 5

What fields does a cookie contain?

Answer 5

• name
• value
• expires (when to delete)
• domain
• path
• Secure (only over SSL)
• HttpOnly (only over HTTP, no JS)

Question 6

What domains is a cookie valid for?

Answer 6

The domain and all sub domains

Question 7

Can mail.example.com access cookies set for example.com

Answer 7

yes

Question 8

Can example.com access cookies set for mail.example.com

Answer 8

no

Question 9

Which domains can one.mail.example.com set cookies for?

Answer 9

Any subdomain and only 1 level up (mail.example.com)

Question 10

How does a network attacker differ from a web attacker?

Answer 10

Web attacker controls website victim visits. Network attacker controls whole network, can intercept, craft and send messages.