Download ppt

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

One-time pad wikipedia , lookup

Wireless security wikipedia , lookup

Mobile security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Address space layout randomization wikipedia , lookup

Security printing wikipedia , lookup

Diffie–Hellman key exchange wikipedia , lookup

Web of trust wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Cross-site scripting wikipedia , lookup

Transcript
CSE 190: Internet E-Commerce
Sample Final Exam Questions
SQL, DB Design
1.
Given these tables, write an appropriate SQL query:
real_estate_agent (id, name, region)
sales (id, agent_id, property_id, price,
date)
property (id, address)
1.
Show who sold what property during the last month.
select a.name, p.address
from real_estate_agent a, sales s, property p
where s.agent_id = a.id and s.property_id = p.id and
s.date >= ’02/01/2002’
2.
Show total sales by region after ’01/01/2002’
select a.region, sum(s.price)
from real_estate_agent a, sales s
where s.agent_id = a.id and s.date > ’01/01/2002’
group by a.region
SQL, DB Design
2. Put the following table design in 3-NF.
Workflow_event (document_name, source_name, source_email,
destination_name, destination_email, date)
‘Source’ and ‘destination’ are the people, with names and email
addresses. Document_name is a name identifying a document being
passed between people, usually unchanged through a multi-step
transaction.
workflow_events(document_id,source_id,dest_id,date)
documents(document_id, document_name)
people(source_id, source_name, source_email)
DB Coding
3. Write ADO code to query the preceding
design for all of today’s work flow events.
See lecture notes
4. Write JSP code to query the preceding
design for all of today’s work flow events.
See lecture notes
Operations
5. What is the purpose of robots.txt?
Exclude automated programs from accessing certain pages or
sections of your web site. This is done for efficiency (pages
may be soon obsolete), security (pages may have sensitive
content), and operational reasons (access may be being
abused by the robot). Of course, automated programs might
ignore the file, as this cannot be automatically enforced.
6. What is the purpose of a data center?
Provide facilities to host the servers of a web site. The data
center may be owned by the firm or be a third-party to whom
data center services are outsourced. Generally, data centers
provide security, power, bandwidth, and monitoring services.
Security
7. Sketch how to write a buffer overflow attack on the following code:
char body[ BUFSIZ ];
int bodyByteCount = parseHeader( header );
int rc = recv( sock, body, bodyByteCount );
The receiving end writes code similar to this:
for( 1..n ) {
// n is much greater than BUFSIZ
send( sock, 0x90 ); // send NOP code character
// which depends on the platform
}
char hostileCode[] = “\xEB……./bin/sh\”…….”;
/* hostileCode = byte codes for this code:
execve( “/bin/sh”, args );
return;
*/
send( sock, hostileCode );
Security
8. Explain the difference between the entropy of a session key and its length.
How do you exploit a session key with low entropy?
The entropy of a session key is the negative log of the inverse of the
probability of predicting the session key. The length of the session key
is the count of bits representing the key. The length is always greater
than the entropy. A good session key has a high entropy, and is
compact if the session key length is close to the entropy.
If the session key has a low entropy, then regardless of the length of
the session key, it is vulnerable to the following attack: generate
random session keys using some predictive model. Test the generated
key; if it works, as expected with a low entropy, then you now have a
valid session. Repeat until you have a valid session.
This is why generating a random session key from a user’s password
gains no security advantage over storing a one way hash of the
password; the entropy of the key is the same as the entropy of the
password, which is low.
Performance
9. Why might you use client IP affinity instead of no affinity for load balancing?
What is the trade off?
If you have resources which are cached at the server (e.g. an SSL
session) which are expensive to re-establish at a fresh server, you
may use client IP affinity to insure that requests from the same client
are repeatedly satisfied by the same server during this session. The
trade off is that the load may be unevenly distributed. This
organization is still robust to failure though.
10. What is the difference between network and application load balancing?
Application load balancing chooses the least loaded server to handle
the newest incoming request. Network load balancing treats all
servers as equal, regardless of their load, and assigns requests in a
round-robin or random manner. In other words, application load
balancing uses some knowledge about the application’s run-time
behavior and network load balancers limit their knowledge to the
network layer.
XML, XSL
11. How is XML different from HTML?
Both are an application of SGML. However, XML is similar to
SGML because it allows the document author to invent their
own tags. Both XML and HTML may be validated against their
DTD (document type definition.)
12. What’s the result of applying this stylesheet to this XML document?
See lecture example
Xml:
<?xml version="1.0" encoding="ISO-8859-1" ?> <!-- Edited with XML Spy
v4.2 -->
- <CATALOG>
- <CD>
<TITLE>Empire Burlesque</TITLE>
<ARTIST>Bob Dylan</ARTIST>
<COUNTRY>USA</COUNTRY>
<COMPANY>Columbia</COMPANY>
<PRICE>10.90</PRICE>
<YEAR>1985</YEAR>
</CD>
- <CD>
<TITLE>Hide your heart</TITLE>
<ARTIST>Bonnie Tyler</ARTIST>
<COUNTRY>UK</COUNTRY>
<COMPANY>CBS Records</COMPANY>
<PRICE>9.90</PRICE>
<YEAR>1988</YEAR>
</CD>
</CATALOG>
XSL:
XSL:
<?xml version="1.0" encoding="ISO-8859-1" ?>
- <xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
- <xsl:template match="/">
- <html>
- <body>
- <table border="1">
- <tr>
<th>Title</th>
<th>Artist</th>
</tr>
- <xsl:for-each select="catalog/cd">
- <tr>
- <td>
<xsl:value-of select="title" />
</td>
- <td>
<xsl:value-of select="artist" />
</td>
</tr>
</xsl:for-each>
</table>
</body>
</html>
</xsl:template>
</xsl:stylesheet
SOAP
13. Show the function call that corresponds to this
SOAP request, in any programming language.
<soap:Envelope>
<soap:Body>
<xmlns:m= "http://www.amzn.org/books"/>
<m:GetBookPrice>
<m:BookName>Fast Food
Nation</m:BookName>
</m:GetBookPrice>
</soap:Body>
</soap:Envelope>
In Java: float GetBookPrice( String BookName );
WML
14. What is WML for? What criticism could you offer for representing
web content this way?
WML = Web Markup Language. Used to communicate online
content to mobile devices (wireless) through the WAP protocol.
It was designed to be a simpler, more constrained subset of
HTML, with more limited display capabilities.
Arguably WML should not exist, and wireless devices should
read HTML and render it using its more limited display
capabilities, as was originally intended by HTML’s authors.
WML asks content authors to effectively create a second web,
parallel to the HTML web, which is possibly an expensive
proposition.