Section A Answer Section A questions in Answer Book A A1.

a) Explain how http

and https differ in the ways in which they work and assess the security offered by
EACH. (5 marks) b) Evaluate THREE security advantages and TWO risks associated
with the https protocol. (5 Marks) c) What is meant by single-factor
authentication (SFA) and two-factor authentication (2FA)? Give an example of the
typical use of EACH. (5 Marks) d) What are the advantages of 2FA over SFA?
Evaluate THREE ways of implementing 2FA, demonstrating how security is
enhanced and risks mitigated.

Certainly! Here's an outline for addressing each part of Question A1:

a) **Difference between HTTP and HTTPS:**

- HTTP (Hypertext Transfer Protocol) operates over a plain text format, while
HTTPS (Hypertext Transfer Protocol Secure) is encrypted using SSL/TLS.

- HTTP transmits data in plain text, making it vulnerable to eavesdropping, while

HTTPS encrypts data during transmission, enhancing security.

- HTTPS provides authentication and data integrity, ensuring a secure

connection between the client and server.

b) **Security Advantages and Risks of HTTPS:**

- Advantages:

1. **Data Encryption:** HTTPS encrypts transmitted data, securing it from

unauthorized access.

2. **Authentication:** Verifies the identity of the website, ensuring users are

connecting to the intended site.

3. **Data Integrity:** Protects against data tampering during transmission.

 - Risks:

1. **Certificate Issues:** Expired or incorrectly configured SSL certificates can

cause connection issues.

2. **Mixed Content:** Loading non-secure content on an HTTPS page can

compromise security.

c) **Single-Factor Authentication (SFA) vs. Two-Factor Authentication (2FA):**

- SFA: Relies on a single method for authentication (e.g., password or biometric),

such as logging into an email account with only a password.

- 2FA: Requires two different authentication factors (e.g., password and SMS
code), providing an additional layer of security.

d) **Advantages of 2FA over SFA:**

- Enhanced Security: 2FA provides an extra layer of defense against

unauthorized access.

- Reduced Vulnerability: Even if one factor is compromised, the second factor

adds an additional barrier.

**Implementing 2FA:**

1. **SMS Verification:** Sending a unique code to a user's phone for

verification.

2. **Authentication Apps:** Generating time-based codes through apps like

Google Authenticator.

3. **Biometric Verification:** Using fingerprints or facial recognition along with

a password for access.
Each method strengthens security by requiring a second form of verification,
thereby mitigating the risks associated with relying solely on a single factor for
authentication.

A2. a) Compare and contrast FTP, BitTorrent and peer-to-peer network

technologies. In your answer you SHOULD include an assessment of: i) How each
of the mechanisms work; ii) The architectural issues associated with each; iii) An
evaluation of the principal advantages and disadvantages of each, with reference
to security, robustness and reliability. Include an annotated diagram to illustrate
the workings of EACH. (15 marks) b) Explain the use of the .htaccess
and .htpasswd files to control access to web pages. (3 marks) c) What is the REST
architectural model? Explain the MAIN principles by which it is applied to web
services.

Certainly! Here's how you might approach answering each part of question A2:

### A2.

**a) Comparison of FTP, BitTorrent, and Peer-to-Peer (P2P) Network

Technologies:**

**FTP (File Transfer Protocol):**

- **How it works:** FTP involves a client-server model where a client connects to

a server to transfer files. It operates over TCP/IP and requires authentication.
- **Architectural Issues:** Primarily designed for file transfer and lacks robust
security features. Vulnerable to eavesdropping due to lack of encryption.

- **Advantages & Disadvantages:**

- *Advantages:* Simplicity, wide compatibility, and ease of use.

- *Disadvantages:* Lack of encryption leads to security vulnerabilities.

**BitTorrent:**

- **How it works:** Utilizes a P2P protocol for file sharing, breaking files into
small chunks and distributing them among peers who share the same file.

- **Architectural Issues:** Decentralized network with no central server, enabling

efficient data distribution but presenting challenges in controlling unauthorized
sharing.

- **Advantages & Disadvantages:**

- *Advantages:* High-speed downloads, decentralized architecture.

- *Disadvantages:* Susceptible to illegal sharing, lack of control over file

distribution.

**Peer-to-Peer (P2P) Networks:**

- **How it works:** Connects computers directly to share resources without a

centralized server. Popular for sharing files, resources, and content.

- **Architectural Issues:** Lacks central authority, which can lead to security

vulnerabilities and unregulated sharing.

- **Advantages & Disadvantages:**

- *Advantages:* Decentralization, scalability, and shared resources.

 - *Disadvantages:* Security risks, potential for illegal file sharing.

**Annotated Diagrams:** Provide labeled illustrations depicting how each

mechanism functions architecturally.

**b) .htaccess and .htpasswd Files:**

- **Explanation:** These files are used in Apache web server environments to

control access to specific web pages or directories.

- **Functionality:** `.htaccess` stores configurations for authentication, access

control, redirects, etc., while `.htpasswd` stores usernames and passwords
encrypted for authentication.

- **Purpose:** They enable website owners to secure specific areas of their sites,
requiring a username and password

for access.

**c) REST Architectural Model:**

- **Explanation:** REST (Representational State Transfer) is an architectural style

for designing networked applications, particularly web services.

- **Principles:**

1. **Statelessness:** Each request from a client must contain all necessary

information; the server should not store client state.

2. **Uniform Interface:** Resources are uniquely identifiable and manipulated

using standard methods (e.g., HTTP methods like GET, POST, PUT, DELETE).
 3. **Client-Server Architecture:** Separation of concerns between client and
server, allowing them to evolve independently.

4. **Cacheability:** Responses from the server should indicate whether they

can be cached or not.

5. **Layered System:** A client interacts with the server without knowing the
underlying system's complexities, allowing for system scalability.

- **Application to Web Services:** REST principles enable interoperability,

simplicity, and scalability in designing and implementing web services.

For each aspect, use examples, diagrams, or case studies to illustrate and support
your explanations and evaluations. This structure will ensure a comprehensive
and well-supported response to each part of the question.

Section B Answer Section B questions in Answer Book B B3. a) Assess FOUR main
advantages OR disadvantages of file-based and databasebased data storage for
XML web applications. Explain when it is advantageous to use each. (8 marks) b)
Evaluate an architecture that is designed to protect a database server connected
to a web application from external attack. Evaluate the effectiveness in doing this.
(7 marks) c) Describe the principles of a SQL Injection attack. What data could be
accessed by means of such an attack and how might this be prevented? Provide
an example of how such an attack can be prevented, with example code. (10
marks)

Certainly! Here's a structured way to approach answering each part of question

B3:

### B3.
**a) File-based vs. Database-based Data Storage for XML Web Applications:**

**Advantages and Disadvantages:**

**File-based Storage:**

- **Advantages:**

1. **Simplicity and Portability:** Easy to manage, transport, and backup as

individual files.

2. **Speed:** Faster access for small-scale applications due to direct file access.

- **Disadvantages:**

1. **Limited Scalability:** Not suitable for large datasets due to limited query
capabilities.

2. **Data Integrity:** More prone to data redundancy and inconsistency.

**Database-based Storage:**

- **Advantages:**

1. **Scalability and Performance:** Efficient for handling large datasets with

complex queries.

2. **Data Integrity:** Ensures consistency and integrity through relational

constraints.

- **Disadvantages:**

1. **Complexity:** Setting up and maintaining databases requires expertise and

resources.
 2. **Cost:** Often involves licensing fees, hardware, and maintenance costs.

**When to Use Each:**

- **File-based Storage:** Suitable for smaller projects or applications where

simplicity and portability are prioritized.

- **Database-based Storage:** Ideal for larger projects or applications requiring

scalability, complex queries, and data integrity.

**b) Protecting a Database Server in a Web Application:**

**Architecture to Protect Database Servers:**

- Utilize firewalls, intrusion detection systems (IDS), and encryption protocols to

secure network access.

- Implement parameterized queries and stored procedures to prevent SQL

injection.

- Regularly update and patch the database server and application to fix
vulnerabilities.

- Employ strong authentication mechanisms and least privilege access controls.

**Effectiveness Evaluation:**

- Assess how well the architecture addresses potential vulnerabilities and threats.

- Evaluate if the architecture's components (firewalls, encryption, secure coding

practices) effectively mitigate risks.
- Consider real-life case studies or examples demonstrating successful protection
against external attacks.

**c) SQL Injection Attack:**

**Principles of SQL Injection:**

- Exploits vulnerabilities in web applications allowing attackers to execute

malicious SQL commands.

- Attackers manipulate input fields to inject SQL code, allowing unauthorized

access or manipulation of the database.

**Data Accessed:** Attackers can gain access to sensitive data, execute

administrative operations, or modify database content.

**Prevention Strategies:**

- Use parameterized queries or prepared statements to sanitize user inputs and

prevent code injection.

- Escaping special characters or implementing input validation to restrict

unwanted SQL commands.

- An example code snippet demonstrating parameterized queries or input

sanitization techniques can illustrate prevention.

Ensure to provide concrete examples, code snippets, or diagrams to support and

illustrate your points effectively, enhancing the clarity and depth of your
response.
B4. a) Describe what is meant by a Document Type Definition (DTD) and how it is
used. (4 marks) b) Explain why an application would use a DTD when the XML
document follows the same structure. (3 marks) c) Consider the XML file in figure
5.1 below. ACME Engineering Office Manager Managing an office of 25 staff
Sheffield Fred Bassett +441234667788 f.bassett@acme.co.uk £40000 1 August
2020 Driver Day journeys over much of the north of England Peak District Evans
+441298777555 £20000 Figure 5.1 Construct a DTD which includes the same rules
as shown in this example. It should also be noted that the employer code must be
present only once, for EACH employer. (12 marks) (page 5) d) It has been decided
to add an identifier to each job vacancy of the form that identifies whether the
job is full or part time (identified by either Full or Part – these are the only
possible values). This field MUST appear at least once, and if not specified shall
have the value Full. Show how your answer would need to be modified to
incorporate this, with a full explanation of how it functions. (6 marks)

Certainly! Here's a breakdown of the responses to each part of question B4:

### B4.

**a) Document Type Definition (DTD) Explanation:**

- **Definition:** A DTD defines the structure and constraints of an XML

document.

- **Usage:** It specifies the elements, attributes, and their relationships, acting

as a schema for XML validation.

- **Example:** The DTD defines the document's structure, ensuring conformity

to its rules.
**b) Purpose of Using DTD When XML Follows the Same Structure:**

- **Ensuring Conformity:** Even when the XML document follows a consistent

structure, a DTD acts as a formal declaration of this structure.

- **Validation:** DTDs validate XML documents against a defined structure,

ensuring they adhere to specified rules.

**c) Constructing a DTD for the Given XML Structure:**

```xml

<!ELEMENT EmployerList (Employer+)>

<!ELEMENT Employer (Employer_name, Employer_url, Job_vacancy+)>

<!ATTLIST Employer CODE CDATA #REQUIRED>

<!-- Employer Elements -->

<!ELEMENT Employer_name (#PCDATA)>

<!ELEMENT Employer_url EMPTY>

<!ATTLIST Employer_url page CDATA #REQUIRED>

<!-- Job_vacancy Elements -->

<!ELEMENT Job_vacancy (Job_title, Job_description, Job_location, Contact,

Job_salary, Start_date)>

<!ELEMENT Job_title (#PCDATA)>

<!ELEMENT Job_description (#PCDATA)>

<!ELEMENT Job_location (city | district)>

<!ELEMENT city (#PCDATA)>

<!ELEMENT district (#PCDATA)>

<!ELEMENT Contact (Contact_name, Contact_phone, Contact_email)>

<!ELEMENT Contact_name (title, first_name?, last_name)>

<!ELEMENT title (#PCDATA)>

<!ELEMENT first_name (#PCDATA)>

<!ELEMENT last_name (#PCDATA)>

<!ELEMENT Contact_phone (#PCDATA)>

<!ELEMENT Contact_email (#PCDATA)>

<!ELEMENT Job_salary (#PCDATA)>

<!ELEMENT Start_date (#PCDATA)>

```

**d) Modification to Incorporate Identifier for Full/Part-time Jobs:**

- **Modified DTD:**

```xml

<!-- Job_vacancy Elements Modification -->

<!ELEMENT Job_vacancy (Job_title, Job_description, Job_location, Contact,

Job_salary, Start_date, Job_type?)>

<!ELEMENT Job_type (#PCDATA)>

```
- **Explanation:**

- Added `Job_type` element to `Job_vacancy`.

- It holds values indicating Full or Part-time jobs.

- The element is optional, allowing either value or defaulting to Full if not

specified.

This revised DTD includes the required structure for both employer and job
vacancy information. The addition of the `Job_type` element provides the
flexibility to identify job roles as either Full or Part-time, ensuring that each
vacancy includes this information.

Ensure to check the syntax and specifics of the DTD based on your XML
requirements, adapting it accordingly for your project's needs.

B5. a) What is meant by the following acronyms? i) DOM; ii) CGI; iii) XSLT. Explain
with examples when you would use EACH. (12 marks) b) What are blogs, WIKIS
and RSS? Evaluate how they differ in the way in which they are used and assess
the differences that make each appropriate for particular uses, with examples.
Evaluate how they differ from traditional web applications. (13 marks) End of
Examination

Certainly! Here's a breakdown of the responses to each part of question B5:

### B5.

**a) Explanation of Acronyms:**

i) **DOM (Document Object Model):**

- **Definition:** DOM represents the hierarchical structure of HTML or XML

documents, enabling programmatic access and manipulation.

- **Use Case:** Developers use DOM to dynamically access and alter document
content using scripting languages like JavaScript. For instance, updating text or
modifying HTML elements based on user actions.

ii) **CGI (Common Gateway Interface):**

- **Definition:** CGI facilitates communication between a web server and

external programs to generate dynamic content.

- **Use Case:** CGI scripts are employed to process form data, interact with
databases, or generate dynamic web content. For example, a form submission
could trigger a CGI script to process user input and generate a customized
response.

iii) **XSLT (Extensible Stylesheet Language Transformations):**

- **Definition:** XSLT transforms XML documents into different

structures/formats using XSL stylesheets.

- **Use Case:** XSLT is utilized to convert XML data into various formats like
HTML, PDF, or another XML structure. For instance, transforming an XML file into
HTML for web display using XSLT templates.

**b) Blogs, Wikis, and RSS:**

- **Blogs:** Platforms for individuals/organizations to post entries, typically in

chronological order, sharing thoughts, news, or opinions. They engage audiences
in conversations via comments.
 - *Use Case:* Personal blogs (e.g., WordPress) for self-expression or corporate
blogs (e.g., Medium) for marketing and engagement.

- **Wikis:** Collaborative websites enabling users to add/edit content. They

facilitate collective knowledge building and editing.

- *Use Case:* Wikipedia is a well-known example, allowing users worldwide to

contribute to encyclopedia articles collaboratively.

- **RSS (Really Simple Syndication):** An XML-based format to syndicate

frequently updated content from various websites. It enables users to subscribe
and receive content updates.

- *Use Case:* Users subscribe to RSS feeds of news websites, blogs, or podcasts,
getting real-time updates without visiting individual sites.

**Differences from Traditional Web Applications:**

- **Blogs/Wikis/RSS vs. Traditional Web Apps:**

- Blogs/Wikis focus on content creation and collaboration among users.

- Traditional web apps often serve specific functionalities (e.g., e-commerce,

social networks) with interactive elements beyond content publication.

**Assessment of Differences:**

- Blogs/Wikis/RSS offer user-generated content and interactivity, fostering

collaboration and information dissemination.

- Traditional web apps emphasize specific functionalities or services, often

offering user interaction beyond content consumption.
These platforms vary in their core functionalities and user interaction paradigms,
catering to diverse needs in content sharing, collaboration, and information
consumption on the internet.