EXAMINATIONS – 2022
TRIMESTER 2
CYBR 271
SECURE PROGRAMMING
Time Allowed:
TWO HOURS
******** WITH SOLUTIONS **********
CLOSED BOOK
Permitted materials: Only silent non-programmable calculators or silent programmable calculators with
their memories cleared are permitted in this examination.
Printed foreign to English language dictionaries are permitted.
No other material is permitted.
Instructions:
Attempt ALL questions.
There are 100 marks total.
Write answers in the spaces provided in the examination booklet.
Hand in the examination booklet.
Questions
Marks
1. Security Principles
[10]
2. Security Threat Modellling
[20]
3. Security Testing
[20]
4. Privilege escalation
[20]
5. Buffer Overflow
[20]
6. Format String
[10]
7. Web security
[15]
CYBR 271
Page 1 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
SPARE PAGE FOR EXTRA ANSWERS
Cross out rough working that you do not want marked.
Specify the question number for work that you do want marked.
CYBR 271
Page 2 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
1. Security Principles.
(10 marks)
(a) Consider an Internet banking application where the application allows users to query their balance
and transfer money between accounts:
i. (2 marks) Define the security principle secure data at rest and give a simple example of the
principle in the context of the Internet banking application.
ii. (2 marks) Define the security principle separation of duty and give a simple example of the
principle in the context of the Internet banking application.
(b) You have been hired to review the security of a new smartwatch that has been designed to detect
severe heart arrythmia. A condition characterized by abnormal heart rhythm. The smartwatch will
vibrate when the condition is detected giving them time to seek emergency care.
i. (3 marks) The smartwatch collects extra information such as GPS location that is not necessary
for its functionality. Identify the security principle being violated and justify your answer.
CYBR 271
Page 3 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
ii. (3 marks) When the smartwatch fails, it doesn’t indicate that there is an error to user and the
display looks the same as if it is working correctly. Identify the security principle being violated
and justify your answer.
CYBR 271
Page 4 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
2. STRIDE and Security Cards
(10 marks)
Consider the following data flow diagram for the ECS submission system. Note that all communications
between the browser and web server are encrypted..
Browser/
Web server
Submit
Files
assignment
Student
Username and
Files
password
Authenticate
Assignments
Username and
user
directory
password
Marker
Marks and
Marksheet
comments
Mark
Assignment
(a) (2 marks) Name an external entity, process, data store and dataflow shown in the diagram.
(b) (2 marks) Name two categories of threats that are applicable to an external entity and give a brief
description of each.
(c) (2 marks) Describe an example of a threat applicable to any of the data flows shown in the diagram
and an appropriate mitigation.
CYBR 271
Page 6 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
(d) (4 marks) Compare using security cards with the STRIDE methodology in terms of coverage and
creativity, and explain why STRIDE is considered more suitable for inexperienced secure program-
mers. Make sure that you justify your answers.
CYBR 271
Page 7 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
3. Libraries and Addressing Threats
(10 marks)
(a) Consider the Common Vulnerabilities and Exposures (CVE) standard.
i. (2 marks) Define the term vulnerability and give a simple example.
ii. (2 marks) Define the term exposure and give a simple example.
Provide a concise example of each concept.
iii. (2 marks) What is the relationship between a CVE and the US National Vulnerability Database
(NVD).
(b) Consider Open Web Application Security Project (OWASP) top 10 risks.
i. (2 marks) List four risks from the 2021 edition.
ii. (2 marks) Briefly discuss the process that helps keep the list both based upon what has been
observed as well as what are new emerging threats.
CYBR 271
Page 9 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
4. Ranking Threats
(10 marks)
(a) (2 marks) Briefly explain why Microsoft has moved away from using DREAD to using Bug Bars?
(b) (4 marks) Briefly explain the relationships between assets, vulnerabilities, threat, security controls
and risk.
(c) (4 marks) A colleague recommends that you purchase cyberinsurance for your company to transfer
the risk associated with ransomware attacks. What are TWO new risks that might arise from taking
our cyberinsurance? Assume that you do not publicise that you have taken out cyberinsurance.
CYBR 271
Page 11 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
5. Reviews and Security Testing
(5 marks)
(a) (3 marks) Briefly explain why it is considered best to use a combination of manual and automated
security testing?
(b) (2 marks) Compare and contrast ordinary software testing with security testing.
CYBR 271
Page 13 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
SECTION A
Privilege escalation
[20 marks]
6. Unix uses the “9-bit permission mechanism” and groups users into different groups where access per-
mission can be managed per group. Using the ls -l command, you have got the following output.
Identify the different groups and their corresponding permissions regarding this file.
(3 marks)
− r −xrwxrw −
1 j o h n
s t a f f
290 12 Oct 15:03 s c r i p t
7. What values should be used with the chmod command to grant the following permissions to the script
file?
(3 marks)
• Others: Cannot read, write and execute.
• Owner: Can read and execute but cannot write.
• Group: Only allowed to write
$chmod
script
8. Converting a program to be a Set-UID program requires setting the Set-UID bit and changing the own-
ership of the program. After executing the following two commands on the stack program, the system
is not showing it is a privileged program. Explain what could be the reason.
(5 marks)
seed@VM$ sudo chmod 4755 s t a c k
seed@VM$ sudo chown r o o t s t a c k
9. A developer created the following privileged program to display the calendar by invoking the cal pro-
gram using the system() function. Briefly explain how Environment Variables can be used to execute
a cal program developed by the attacker instead of the one provided by the system.
(5 marks)
1# i n c l u d e < s t d l i b . h>
2i n t
main ( )
3{
4
system ( " c a l " ) ;
5
r e t u r n 0 ;
6}
CYBR 271
Page 14 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
10. Briefly explain the Principle of Isoloation
(4 marks)
CYBR 271
Page 15 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
SECTION B
Buffer Overflow
[20 marks]
11. Draw the stack frame for the following function.
(7 marks)
1i n t
f u n c ( i n t g , i n t x , i n t f )
2{
3
i n t d , b , a ;
4
s t a t i c s t r ;
5
s t a t i c y = 5 ;
6
a = g − x ;
7
d = a + x ;
8
r e t u r n d ;
9}
12. Calculate the memory address of the “Return Address” field if the offset between the start of the buffer
and ebp is 73 bytes, and ebp is pointing to the address 0xbffea130.
(3 marks)
13. For each of the following variables, specify on which part of the memory it will be located. (5 marks)
CYBR 271
Page 16 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
1. Initialised local variable
2. static ver_foo = 7
3. Uninitialised global variable
4. int *ptr = (int *) malloc(5*sizeof(int)); //(*ptr)
5. static hello;
1.
2.
3.
4.
5.
14. An attacker has identified a vulnerable program that reads from a file and has created abadfile with
the aim of getting a shell via a buffer overflow attack. The attack surface is the strcpy() function that
copies the user input into a buffer.
After checking the memory layout for the compiled code using the debugging mode (gdb), she prepared
a badfile and injected the new return address based on ebp+75 (hex), where ebp is 0xbffffc8b.
She has turned off address randomisation, made the stack executable and disabled all stack countermea-
sures. Her attack should be successful; however, a Segmentation fault error message has been
received instead of a shell when the vulnerable program is executed on the input.
(5 marks)
(a) Explain the role of the NOP (0x90) in the attack and how it increases the chance of a successful
attack.
(1 mark)
(b) Explain what is the main cause of the attack failing.
(4 marks)
CYBR 271
Page 17 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
SECTION C
Format String
[10 marks]
15. What is the “Little-endian” and “Big-endian” representations of the 32-bit integer 0xA934D7B2?
(2 marks)
0
8
16
24
31
0
8
16
24
31
⏟⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏟⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏟
⏟⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏟⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏟
Little-endian
Big-endian
16. The “width” modifier allows you to control the number of characters to be printed out. Using the %x
and %n specifiers along with the width modifier, provide a format string to write 400 (decimal) into a
variable on the stack if you know its address is 16 bytes above the va_list pointer.
(3 marks)
17. An attacker targeted a format string vulnerability on a system, where the aim was to print out a secret
value stored on the system. Based on some investigations, the attacker was able to find the distance
between the address of the secret value and the va_list pointer. Accordingly, she provided 20 %s
specifiers that is enough to advance the pointer to the right position and print out the value. (5 marks)
(a) Explain why her attack was not successful.
(4 marks)
(b) How can you fix the problem?
(1 mark)
CYBR 271
Page 18 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
SECTION D
Web Security
[15 marks]
18. 3. A website (cybr271.com) utilises the ‘Content Security Policy’ (CSP) mechanism to prevent XSS
attacks and allows script code to be executed based on the following CSP role Which of the following
java script codes will, or will not, be allowed to run?
(5 marks)
Content-Security-Policy: default-src ‘self;’ script-src ‘self’
‘nonce-3fX254s’ google.com
1. <script>... JavaScript code ...</script>
2. <script src="stduents.js">... JavaScript code ...</script>
3. <script src="http://abc.com/sss.js">... JavaScript code ...</script>
4. <script nonce="3fX25DD">... JavaScript code ...</script>
5. <script nonce="3fX254s">... JavaScript code ...</script>
1.
2.
3.
4.
5.
19. To defeat XSS attacks, a developer decides to implement filtering on the browser side. Basically, the
developer plans to add JavaScript code on each page, so before data are sent to the server, it filters out
any JavaScript code contained inside the data. Let’s assume that the filtering logic can be made perfect.
Can this approach prevent XSS attacks?
(2 marks)
20. Adopting the Secret Token approach represents an effective mechanism to prevent CSRF attacks, where
the server injects a secret into its own page after the user has been authenticated. This secret token
must be attached with each subsequent request sent from the user’s browser to the server; otherwise, the
request might be discarded. Discuss whether this approach (CSRF tokens) can also be used to prevent
stored XSS attacks or not.?
(3 marks)
CYBR 271
Page 19 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
21. Data sanitisation (including both filtering and encoding approaches) can mitigate SQL-injection attacks,
but does not address the fundamental cause of the problem. Discuss why “Prepared Statements”, on the
other hand, is a perfect solution for this type of attacks.
(3 marks)
22. A web application uses the login form presented in the figure below to allow access only to those who
have a record in the application’s database. The system does not sanitize the input before forming and
submitting the query to the database.
As an attacker, suggest an input that will let you access the system even if you are not registered.
(2 marks)
CYBR 271
Page 20 of 21

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
* * * * * * * * * * * * * * *
CYBR 271
Page 21 of 21

EXAMINATIONS – 2023
TRIMESTER 2
FRONT PAGE
CYBR 271
SECURE PROGRAMMING
26/10/2023 *** WITH
SOLUTIONS ***
Time Allowed:
TWO HOURS (120 minutes)
CLOSED BOOK
Permitted materials: • Onlysilentnon-programmablecalculatorsorsilentprogrammablecalculatorswith
their memories cleared are permitted in this examination.
• Printed foreign to English language dictionaries are permitted.
• No other material is permitted.
Instructions:
• Attempt ALL questions in this booklet.
• This test contributes 35% of your final grade.
• There are 120 marks total.
• Write answers in the spaces provided in the examination booklet.
• Hand in the examination booklet.
Questions
Marks
1. Security Principles
[10]
2. STRIDE and Security Cards
[20]
3. Libraries, Addressing and Ranking Threats
[15]
4. Reviews and Security Testing
[5]
5. Privilege Escalation
[15]
6. Buffer Overflow
[20]
7. Format String
[15]
8. Cross-site Scripting (XSS)
[10]
9. Cross-site Request Forgery (CSRF)
[5]
10. SQL-Injection
[5]
CYBR 271
Page 1 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
1. Security Principles
[10 MARKS]
(a) (4 marks) Consider an Internet banking application where the application allows users to query
their balance and transfer money between accounts.
i. (2 marks) Define the security principle secure data at rest and give a simple example of the
principle in the context of the Internet banking application.
ii. (2 marks) Define the security principle separation of duty and give a simple example of the
principle in the context of the Internet banking application.
(b) (6 marks) You have been hired to review the security of a new smartwatch that has been designed
to detect abnormal heart rhythms. The smartwatch will vibrate when the condition is detected giving
time for the wearer to seek emergency care.
i. (3 marks) The smartwatch collects extra information such as GPS location that is not necessary
for its functionality. Identify the security principle being violated and justify your answer.
ii. (3 marks) When the smartwatch stops measuring heart rhythm due to an error in the software,
it doesn’t indicate that there is an error to the user. Identify the security principle being violated
and justify your answer.
CYBR 271
Page 2 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
2. STRIDE
[20 MARKS]
Consider the following data flow diagram for an online banking system.
(a) (3 marks) Name one each of the following: (i) external entity, (ii) process, and (iii) data store
shown in the diagram.
(b) (4 marks) Identify two categories of threats that are applicable to an external entity and give a
brief description of each threat.
(c) (2 marks) Consider the data flow from the Browser Client/Mobile App Client to the Online Bank-
ing Server. The data flow consists of transactions (e.g. fund transfers, payments). It traverses the
network but is encrypted.
Describe an example of a threat applicable to this data flow, and an appropriate mitigation for the
mentioned threat.
CYBR 271
Page 3 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
(d) (4 marks) The Bank Teller Interface is only available in terminals located within the bank (and its
branches) and requires special access device issued to authorised bank employees only.
Describe a threat where an attacker gains access to the system through spoofing the identity of the
Bank Teller. Propose two layers of mitigation to this potential attack.
For the first mitigation, describe how an attacker can overcome it. The second mitigation must
therefore address the weakness of the first mitigation. You need not describe the weakness of the
second mitigation.
(e) (2 marks) The Mobile App Client was developed by the bank using a group of trusted developers.
Provide two valid reasons why it is drawn outside the trust boundary.
CYBR 271
Page 4 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
(f) (5 marks) Security Cards represent a useful methodology for fundamental learning to aiding pro-
fessional threat modelers, with emphasis on creativity and brainstorming.
i. (4 marks) List the FOUR main questions this method is aiming to provide answers for.
ii. (1 mark) What is a limitation of the Security Cards methodology?
CYBR 271
Page 5 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
3. Libraries, Addressing and Ranking Threats
[15 MARKS]
(a) (2 marks) Discuss one advantage and one disadvantage of using checklists in addressing threats.
(b) (2 marks) Suppose you want to find out whether a particular computer desktop application has
been implemented using programming approaches which are unsafe.
Which of the libraries discussed in the lectures should you consult? Justify your answer.
(c) (5 marks) Consider a web application for a cinema which allows group booking discounts and has
a maximum of fifteen attendees before requiring a deposit. The booking system reserves the seats,
unless it is cancelled. Referring to the 2021 OWASP Top 10 Security Risks:
• What kind of risk is present in this web application?
• How can this risk be exploited?
• What is the impact to the cinema?
Hint: The 2021 OWASP Top 10 Security Risks include: Broken Access Control, Cryptographic
Failures, Sensitive Data Exposure, Injection, Insecure Design, Security Misconfiguration, Vulner-
able and Outdated Components, Identification and Authentication Failures, Software and Data In-
tegrity Failures, Security Logging and Monitoring Failures, and Server-Side Request Forgery.
CYBR 271
Page 6 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
(d) (2 marks) Briefly explain why Microsoft has moved away from using DREAD to using Bug Bars?
(e) (4 marks) A colleague recommends that you purchase cyberinsurance for your company to transfer
the risk associated with ransomware attacks.
What are TWO new risks that might arise from taking out cyberinsurance? Assume that you do not
publicise that you have taken out cyberinsurance.
CYBR 271
Page 7 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
4. Reviews and Security Testing
[5 MARKS]
(a) (3 marks) Name the three code review variations.
(b) (2 marks) Name one advantage and one disadvantage of using static source code analysis tools.
CYBR 271
Page 8 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
5. Privilege Escalation
[15 MARKS]
(a) (3 marks) Unix uses the “9-bit permission mechanism” and groups users into different groups
where access permission can be managed per group. Using the ls -l command, you have got the
following output. Identify the different groups and their corresponding permissions regarding the
script file.
−rw− r − xr −−
1 bob
s t a f f
354 12 Sep 04:53 s c r i p t
(b) (3 marks) What values should be used with the chmod command to grant the following permis-
sions to the script file?
• Others: Cannot read, write and execute.
• Owner: Can read, write and execute.
• Group: Only allowed to write and execute.
$chmod
script
(c) (2 marks) Consider the program mycat which has the following properties shown by the ls -l
command.
−rwxr − xr −x
1 a l i c e
user
354 12 Sep 04:53 mycat
List down the TWO commands (in the correct order) that must be executed to convert mycat into
a Set-UID program.
(Hint: You must use sudo.)
CYBR 271
Page 9 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
(d) (3 marks) Consider the following C program that uses the function system() to execute the
external program cat. The program expects one command-line argument which should be the
name of the text file to be opened and displayed by cat.
1
#include <stdlib.h>
2
int main(int argc, char *argv[])
3
{
4
char cat[] = "/bin/cat";
5
6
if(argc != 2) {
7
printf("Please specify file to open.\n");
8
return 1;
9
}
10
11
char *cmd = malloc(strlen(cat) + strlen(argv[1]) + 2);
12
sprintf(cmd, "%s %s", cat, argv[1]);
13
system(cmd);
14
return 0;
15
}
Assuming the program is Set-UID, how can it be exploited by attackers to potentially escalate priv-
ileges? Describe how to fix the weakness.
(e) (4 marks) Rewrite the above program to fix the problem.
CYBR 271
Page 10 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
6. Buffer Overflow
[20 MARKS]
Note: Unless stated otherwise, assume a 32-bit computer system is being used.
(a) (10 marks) Draw the stack frames for the main() and foo() functions assuming line number
15 is being executed.
1
int foo(int w, int x, int y, int z)
2
{
3
int a, b;
4
static buffer;
5
a = x - z;
6
b = a + y;
7
static k=5;
8
return b;
9
}
10
11
int main(int args)
12
{
13
int result;
14
int str = 5;
15
result = foo(args, 3, 2, str);
16
return result;
17
}
CYBR 271
Page 11 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
(b) (2 marks) Calculate the memory address of the “Return Address” field for the bar() function.
Assume the offset between the start of the buffer variable and ebp is 64 bytes, and ebp is pointing
to the address 0xbffea170.
1
int bar(char *str)
2
{
3
int x;
4
char buffer[50];
5
strcpy(buffer, str);
6
7
return 1;
8
}
(c) (2 marks) For each of the following variables, specify the part of memory in which it will be
located.
1. static int buffer = 7;
2. int *ptr = (int *) malloc(5 * sizeof(int)); //(*ptr)
3. Ininitialised local variables
4. Uninitialised global variables
1.
2.
3.
4.
(d) (2 marks) Consider buffer overflow countermeasures. Answer the following based upon what you
observe in the following figure.
[ 1 0 / 2 6 / 2 3 ] seed@VM$ . / s t a c k
* * * Stack smashing d e t e c t e d * * * :
. / s t a c k t e r m i n t a e d
[ 1 0 / 2 6 / 2 3 ] seed@VM$ ▮
i. (1 mark) State the name of the countermeasure used above.
ii. (1 mark) Briefly discuss how this countermeasure mechanism works.
CYBR 271
Page 12 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
(e) (4 marks) An attacker has identified a vulnerable program that reads from a file and has created
a badfile with the aim of getting a Unix shell via a buffer overflow attack. The attack surface is
the strcpy() function that copies the user input into a buffer.
After checking the memory layout for the compiled code using the debugging mode (gdb), they
prepared a badfile and injected the new return address based on ebp+96 (hex), where ebp is
0xbffffb6a.
They have turned off address randomisation, made the stack executable and disabled all stack coun-
termeasures. Their attack should be successful; however, a Segmentation fault error mes-
sage has been received instead of a Unix shell when the vulnerable program is executed on the input.
i. (1 mark) Briefly explain the role of the NOP operation (0x90) in the attack.
ii. (3 marks) Explain the main reason why the attack failed.
CYBR 271
Page 13 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
7. Format String
[15 MARKS]
Note: Unless stated otherwise, assume a 32-bit computer system is being used.
(a) (2 marks) What is the “Little-endian” and “Big-endian” representations of 0xFF89C39A?
0
8
16
24
31
0
8
16
24
31
⏟⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏟⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏟
⏟⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏟⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏞⏟
Little-endian
Big-endian
(b) (3 marks) The width modifier allows you to control the number of characters to be printed out.
Using the %x and %n specifiers along with the width modifier, provide a format string to write the
number 250 (decimal) into a variable on the stack if you know its address is 12 bytes above the
va_list pointer.
(c) (5 marks) An attacker targeted a format string vulnerability on a system, where the aim was to
print out a secret value stored on the system. Based on some investigations, the attacker was able
to find the distance between the address of the secret value and the va_list pointer. Accordingly,
they provided 15 %s specifiers that is enough to advance the pointer to the right position and print
out the value.
i. (3 marks) Explain why her attack was not successful.
ii. (2 marks) How can you fix the problem and make the attack succeed?
(d) (5 marks) An attacker decided to exploit the formatting string vulnerability to execute her malicious
code. She needs to replace the value of the Return Address with one of the NOP’s addresses. She
decided to use the length modifier %hn and adopt the fast approach to injecting the address of her
malicious code into the Return Address.
Write a single formatting string she needs to use to successfully inject the value 0xbffff226 (the
address of the malicious code) into the address 0xbffff384 (the Return Address) if you know the
distance between va_list and the Return Address is 24 bytes.
CYBR 271
Page 14 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
8. Cross-site Scripting (XSS)
[10 MARKS]
(a) (2 marks) Briefly explain the role of the vulnerable website in persistent XSS.
(b) (4 marks) A website (cybr271.com) utilises the ‘Content Security Policy’ (CSP) mechanism to
prevent XSS attacks and allows script code to be executed based on the following CSP role.
Explain the meaning of this CSP.
Content-Security-Policy: default-src ‘self’; script-src ‘self’
‘nonce-3fX254s’ wgtn.ac.nz
‘sha256-V2kaaafImTjn8RQTWZmF4IfGfQ7Qsqsw9GWaFjzFNPg=’;
(c) (2 marks) To defeat XSS attacks, a developer decides to implement filtering on the browser side. Basically,
the developer plans to add JavaScript code on each page, so before data are sent to the server, it filters out
any JavaScript code contained inside the data. Let’s assume that the filtering logic can remove individual
well-formed JavaScript keywords from the data reliably with 100 percent accuracy.
Can this approach prevent all XSS attacks? Justify your answer.
(d) (2 marks) The nonce and hashing mechanisms can be used to allow inline script code to run on a page.
Which of the two mechanisms is preferred as a countermeasure against XSS attacks? Justify your answer.
CYBR 271
Page 15 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
9. Cross-site Request Forgery (CSRF)
[5 MARKS]
(a) (2 marks) Adopting the Secret Token approach represents an effective mechanism to prevent CSRF attacks,
where the server injects a secret into its own page after the user has been authenticated. This secret token must
be attached with each subsequent request sent from the user’s browser to the server; otherwise, the request
might be discarded.
Can this approach (i.e., CSRF tokens) also be used to prevent stored XSS attacks? Justify your answer.
(b) (2 marks) The fundamental cause of CSRF is that the server cannot distinguish whether the request is
initiated from the same-site or cross-site. One solution is where the browser can help by utilising the Referer
Header field.
Briefly explain the main limitation of this solution.
(c) (1 mark) Briefly explain why the use of HTTPS doesn’t protect against CSRF attacks?
CYBR 271
Page 16 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
10. SQL-Injection
[5 MARKS]
(a) (2 marks) Data sanitisation (including both filtering and encoding approaches) can mitigate SQL-
injection attacks, but does not address the fundamental cause of the problem.
Briefly explain why “Prepared Statements” is a perfect solution for this type of attacks.
(b) (2 marks) To defeat SQL injection attacks, a web application has implemented a filtering scheme
on the client side. Basically, on the page where users type their data, a filter is implemented us-
ing JavaScript. The filter removes any special characters found in the data, such as apostrophes,
characters for comments, and keywords reserved for SQL statements.
Assume that the filtering logic does its job, and can remove all the code from the data; is this solution
able to defeat SQL injection attacks? Justify your answer.
(c) (1 mark) The following SQL statement is sent to the database to add a new user to the database,
where the content of the $name and $passwd variables are provided by the user, but the EID and
Salary field are set by the system.
How can a malicious employee set his/her salary to a value higher than 80000?
Assume:
• username is “smithbob”
• password is “pass123”
1
$sql = "INSERT INTO employee (Name, EID, Password, Salary)
2
VALUES ('$name', 'EID6000', '$passwd', 80000)";
CYBR 271
Page 17 of 19

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
* * * * * * * * * * * * * * *
CYBR 271
Page 19 of 19

EXAMINATIONS – 2024
TRIMESTER 2
FRONT PAGE
CYBR 271
SECURE CODING
07/11/2024
*** WITH SOLUTIONS ***
Time Allowed: TWO HOURS (120 minutes)
Instructions:
• Attempt ALL questions in this booklet.
• Only silent non-programmable calculators or silent programmable calculators with
their memories cleared are permitted in this examination.
• Printed foreign to English language dictionaries are permitted.
• Write answers in the spaces provided in the examination booklet.
• Hand in the examination booklet.
Questions
Marks
1. Security Principles
[5]
2. STRIDE Threat Modeling
[10]
3. Risk Assessment and Attack Trees
[10]
4. Security Reviews, Testing, and Supply Chain Attacks
[10]
5. Privilege Escalation
[10]
6. Buffer Overflow and Return-to-libc
[20]
7. Format String
[12]
8. Cross-site Scripting (XSS)
[10]
9. Cross-site Request Forgery (CSRF)
[8]
10. SQL-Injection
[5]
CYBR 271
Page 1 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
1. Security Principles
(5 marks)
Consider a smart home system that allows users to remotely control their home’s lighting, temperature,
door locks, and security cameras via a mobile app.
(a) (2 marks) Define the security principle of "least privilege" and give an example of how this
principle can be applied in the context of the smart home system.
(b) (2 marks) Define the security principle of "fail securely" and give an example of how this principle
can be applied in the context of the smart home system.
(c) (1 mark) Briefly explain why applying these security principles is important in the context of smart
home systems.
CYBR 271
Page 3 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
2. STRIDE Threat Modeling
(10 marks)
Consider an online voting system for a university student election. The system allows students to log in,
view candidate information, and cast their votes securely.
(a) (5 marks) Draw a simple DFD representing the system. It must include at least one of each type
of element e.g., data flow, data store, process, interactors and trust boundary.
(b) (5 marks) Apply the STRIDE model to the online voting system scenario. Identify five potential
threats, each from a different STRIDE category, and briefly explain how they could impact the
system.
CYBR 271
Page 5 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
3. Risk Assessment and Attack Trees
(10 marks)
Consider a cloud-based file storage service that allows users to upload, store, and share files.
(a) (5 marks) Create a simple attack tree for an attacker trying to gain unauthorized access to a user’s
files in the cloud storage service. Include at least two levels in your tree and one AND node.
(b) (5 marks) Pick a threat from your tree and apply DREAD to come up with an overall risk score
(0-50). Make sure that you explain your reasoning and assumptions.
CYBR 271
Page 7 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
4. Security Reviews, Testing, and Supply Chain Attacks
(10 marks)
Consider a software company developing a new e-commerce platform integrating various third-party
components for payment processing, inventory management, and customer analytics.
(a) (5 marks) Briefly explain why manual testing might be more effective than automatic testing for
identifying vulnerabilities in the payment processing integration.
(b) (3 marks) Briefly explain what a supply chain attack is and why it’s a significant concern for this
e-commerce platform. Provide an example related to one of the platform’s components.
(c) (2 marks) Briefly describe a measure the e-commerce platform developers could implement to
mitigate the risks of supply chain attacks.
CYBR 271
Page 9 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
5. Privilege Escalation
(10 marks)
Consider a Unix-based system where multiple users have access to various applications and resources.
(a) (2 marks) Briefly explain what privilege escalation is and why it’s a significant security concern.
(b) (3 marks) Briefly describe the concept of Set-UID programs in Unix systems. What is their
purpose, and how do they work?
Consider the following C code snippet for a Set-UID program:
1 #include <stdlib.h>
2 #include <stdio.h>
3 int main(int argc, char *argv[]) {
4
char command[256];
5
sprintf(command, sizeof(command), "/bin/echo %s", argv[1]);
6
system(command);
7
return 0;
8 }
(c) (5 marks) Briefly explain why the Set-UID program shown is vulnerable to privilege escalation,
how an attacker might exploit it and how the risk can be mitigated.
CYBR 271
Page 11 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
6. Buffer Overflow and Return-to-libc
(20 marks)
Note: Unless stated otherwise, assume an Intel x86 32-bit computer system is being used.
(a) (6 marks) Draw the stack frame of the foo() function assuming line number 5 is being executed
and cdecl calling convention is used.
1 int foo(int a, int b, int c, int d)
2 {
3
static char buffer;
4
int i, j;
5
i = a - d;
6
j = b + i;
7
return j;
8 }
9
10 int bar(char arg)
11 {
12
int result;
13
int str = 5;
14
static int k=5;
15
result = foo(arg, 3, 2, str);
16
return result+k;
17 }
CYBR 271
Page 13 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
(b) (4 marks) How many bytes is the stack frame of the function bar()? Briefly justify your answer
by providing a breakdown of the stack frame contents and their respective sizes. You can ignore any
alignment requirements in your answer.
(c) (2 marks) Calculate the memory address of the “Return Address” field for the qux() function
given below. Assume the offset between the start of the buffer variable and ebp is 64 bytes, and
ebp is pointing to the address 0xbffea190. Justify your answer by providing a working of the
solution.
1 int buf(char *str)
2 {
3
int x;
4
char buffer[8];
5
strcpy(buffer, str);
6
7
return 1;
8 }
(d) (2 marks) Briefly describe the role of canary as a buffer overflow countermeasure.
CYBR 271
Page 14 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
(e) (2 marks) Which countermeasure does return-to-libc aim to defeat? Briefly explain how return-
to-libc is able to overcome the said countermeasure.
(f) (3 marks) Briefly explain the three main tasks in a return-to-libc attack.
(g) (1 mark) Briefly explain how an attacker can pass a custom string to a program which can then be
used in the return-to-libc attack.
CYBR 271
Page 15 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
7. Format String
(12 marks)
Note: Unless stated otherwise, assume an Intel x86 32-bit computer system is being used.
(a) (8 marks) Consider the following program:
1 #include <stdio.h>
2
3 void fmtstr()
4 {
5
char input[100];
6
int var = 0xbeefbeef;
7
int secret = 0x11223344;
8
int i = 0;
9
10
printf("Please enter a string: ");
11
fgets(input, sizeof(input) , stdin);
12
printf(input);
13 }
14
15 void main ()
16 {
17
fmtstr ();
18 }
Assume that the distance between the variable i and va_list is 20 bytes.
i. (2 marks) Construct an input that is guaranteed to crash the program. Justify your answer.
ii. (3 marks) Construct an input that will print out the variable secret. Justify your answer.
CYBR 271
Page 17 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
iii. (3 marks) Construct an input that will change the value of the variable var to any value.
Assume that var is at address 0x41424344. Justify your answer.
Hint: You may use the fact that 0x41 is the ASCII character ’A’.
(b) (4 marks) Briefly describe two countermeasures that can prevent format string attacks.
CYBR 271
Page 18 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
8. Cross-site Scripting (XSS)
(10 marks)
(a) (2 marks) Briefly explain one particular website behavior that can make it vulnerable to non-
persistent XSS attack.
(b) (2 marks) Briefly explain the two approaches that a Javascript code can use to self-propagate.
(c) (4 marks) A website (cybr271.org) utilises the Content Security Policy (CSP) mechanism to
prevent XSS attacks and allows script to be executed based on the following CSP.
Explain the meaning of this CSP.
Content-Security-Policy: default-src ‘self’;
script-src ‘self’ ‘nonce-3efsdfsdff’ victoria.ac.nz’;
CYBR 271
Page 19 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
(d) (2 marks) The nonce and hashing mechanisms can be used to allow inline script code to run on a
page. Briefly discuss one advantage of nonce over hashing.
CYBR 271
Page 20 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
9. Cross-site Request Forgery (CSRF)
(8 marks)
(a) (2 marks) A CSRF attack involves three parties: a victim user, a targeted website, and a malicious
website that is controlled by an attacker. What important requirement regarding the user session with
respect to the targeted website should be satisfied for the attack to be successful? Briefly explain
what will happen if this condition is not satisfied.
(b) (3 marks) Briefly explain what the referer header is, how it can prevent a CSRF attack, and
one of its drawbacks.
(c) (3 marks) Briefly explain how same-site cookies can enhance CSRF protection. Briefly discuss
one disadvantage of SameSite=Strict attribute value.
CYBR 271
Page 21 of 24

Student ID: . . . . . . . . . . . . . . . . . . . . . . . .
10. SQL-Injection
(5 marks)
(a) (2 marks) Briefly explain what “prepared statements” are, and the underlying principle that it uses
to mitigate SQL-injection attacks.
(b) (3 marks) The following SQL statement is sent to the database to add a new user to the database,
where the content of the $name and $passwd variables are provided by the user, but the EID and
Balance field are set by the system.
Assume the malicious user has the following credentials:
• username is “malice”
• password is “abc123”
The SQL query in the web page is:
1
$sql = "INSERT INTO account (Name, EID, Password, Balance)
2
VALUES ('$name', 'EID6000', '$passwd', 0)";
Suppose in the new user creation page, it asks for the username and password. What values should
a malicious user use to set his/her balance to a particular value, say 1000000?
CYBR 271
Page 23 of 24

Document Outline