Peyrin & S 161 Summer 2020 Computer Security
Final Exam
For questions with circular bubbles, you may select exactly one choice on Gradescope. Unselected option
Only one selected option
For questions with square checkboxes, you may select one or more choices on Gradescope.
You can select
multiple squares
For questions with a large box, you need to write a short answer in the corresponding text box on Gradescope.
You have 170 minutes. There are 10 questions of varying credit (250 points total).
The exam is open note. You can use an unlimited number of handwritten cheat sheets, but you must work alone.
Clarifications will be posted at https://cs161.org/clarifications.
Q1 MANDATORY – Honor Code (7 points) Read the honor code on the Gradescope answer sheet and type your name. Failure to do so will result in a grade of 0 for this exam.
Page 1 of 24
Q2 True/false (56 points) Each true/false is worth 2 points.
Q2.1 True or False: You should always use HMAC instead of any other MAC because HMAC has stronger integrity and authentication guarantees than any other MAC.
True False
Q2.2 True or False: A MiTM during the Diffie- Exchange can force both parties to derive a shared key (that the MiTM doesn’t necessarily know) that is different than the one they would’ve derived otherwise.
True False
Q2.3 True or False: A MiTM during the Diffie- Exchange can force both parties to unknowingly derive different keys that the MiTM knows.
True False
Q2.4 True or False: A MiTM during the Diffie- Exchange can force both parties to derive a set of pre-determined keys that the MiTM knows.
True False
Q2.5 TrueorFalse:CSRFtokensareaneffectivedefenseagainstCSRFattacksonlyifclients’browsers respect the same-origin policy.
True False
Q2.6 True or False: An XSS vulnerability in a website cannot be exploited to gain control over a user’s session if the session cookie has the HttpOnly flag set.
True False
Q2.7 True or False: https://secure.bank.com is able to set the following cookie using the Set-
Cookie header: session=1234567; Domain=bank.com; HttpOnly. True False
Q2.8 True or False: A user wants their web traffic to appear like it’s coming from somewhere else with the lowest latency possible. This user should prefer a VPN instead of Tor.
True False
Q2.9 TrueorFalse:InBitcoin,onceatransactionissuccessfullyaddedtotheblockchain,itcannever be lost.
True False
Q2.10 When you log in to Zoom, you make a POST Request to https://zoom.us/berkeley/signin with an email and password in the form data. The Response contains a session token cookie without the Secure flag set.
True or False: An on-path attacker could steal your session token by observing only this request.
Final Exam Page 2 of 24 CS 161 – Summer 2020
True False
Q2.11 When you go to https://berkeley.zoom.us/m/stanford, you see an image of Stanford’s lawn. The page source shows that the image is being loaded from http://stanford.zoom.us/i/stanford.png.
True or False: This a violation of the same-origin policy. True False
Q2.12 You’re using Tor with three intermediate nodes. Assume all nodes are handling a large amount of traffic.
True or False: Even if two of those nodes are compromised, your anonymity is still protected.
[Clarification during exam: This question was thrown out during the exam, and both True and False were accepted as valid answers. See solution for why.]
True False
Q2.13 Instead of using Tor, you forward your traffic through three intermediate proxies unencrypted.
Using these proxies, you log into https://twitter.com
True or False: Assuming the entry proxy is honest, the middle and exit proxies cannot figure
out your identity
True False
Q2.14 You decide to use a recursive resolver which uses DNSSEC. Your client uses standard DNS. True or False: An on-path adversary cannot poison your client’s cached DNS records.
True False
Q2.15 A recursive resolver supports DNSSEC. The resolver contacts three other nameservers to answer a certain query.
True or False: All three nameservers must support DNSSEC in order for DNSSEC to provide any guarantees.
True False
Q2.16 True or False: DHCP is secure against an on-path attacker. True False
Q2.17 True or False: Using HTTPS is a good defense against clickjacking attacks. True False
Q2.18 True or False: Spearphishing is more dangerous than standard phishing because it uses infor- mation about the victim.
Final Exam Page 3 of 24 CS 161 – Summer 2020
True False
Q2.19 True or False: If a website only allows HTTPS connections, it is secure from SQL injection attacks.
True False
Q2.20 True or False: Parameterized SQL stops all SQL injection attacks. True False
Q2.21 Consider a website which inserts user input into a database using a SQL query. The information in the database is then used in subsequent internal SQL queries.
True or False: If the SQL query that accepts user input is parameterized, but the internal ones do not, then the website will be secure from SQL injection attacks.
True False
Q2.22 True or False: Return-oriented programming (ROP) is not effective if non-executable pages (DEP or WˆX) are enabled.
True False
Q2.23 True or False: Format string vulnerabilites are not effective if ASLR is enabled. True False
Suppose you find a stored XSS vulnerability on https://berkeley.zoom.us/m/1234.
Q2.24 True or False: Some cookies set by https://berkeley.zoom.us/ could be read using your
exploit.
True False
Q2.25 True or False: Some cookies set by https://berkeley.zoom.us/ could be modified using your exploit.
True False
Q2.26 TrueorFalse:Somecookiessetbyhttp://zoom.berkeley.edu/m/1234couldbereadusing your exploit.
True False
Q2.27 TrueorFalse:Somecookiessetbyhttps://berkeley.zoom.us/m/1234couldbemodified using your exploit.
True False
Q2.28 TrueorFalse:Somecookiessetbyhttp://stanford.zoom.us/m/1234couldbereadusing your exploit.
Final Exam Page 4 of 24 CS 161 – Summer 2020
True False
This is the end of Q2. Proceed to Q3 on your answer sheet.
Final Exam Page 5 of 24 CS 161 – Summer 2020
Q3 Password Storage (28 points) Bob is trying out different methods to securely store users’ login passwords for his website.
Mallory is an attacker who can do some amount of offline computation before she steals the passwords file, and some amount of online computation after stealing the passwords file.
Technical details:
• Each user has a unique username, but several users may have the same password.
• Mallory knows the list of users registered on Bob’s site.
• Bob has at most 500 users using his website with passwords between 8–12 letters.
• Mallory’s dictionary contains all words that are less than 13 letters. [Clarification during exam:
Mallory’s dictionary contains all possible user passwords.]
• Mallory can do 𝑁 online computations and 500𝑁 offline computations where 𝑁 is the number of
words in the dictionary.
• Slow hash functions take 500 computations per hash while fast hash functions require only 1
computation.1 Notation:
• HS and HF, a slow and fast hash function
• Sign, a secure signing algorithm
• uname and pwd, a user’s username and password • k, a signing key known only by Bob decides to use signatures in his scheme, assume he will verify them when processing a log-in.
Q3.1 (2 points) How many times could Mallory hash every word in the dictionary using HS with offline
computation?
(A) She can’t hash the whole dictionary
(B) 1 (C) 500
(D) None of the above
(E) (F)
Q3.2 (2 points) How many times could Mallory hash every word in the dictionary using HF with online computation?
(G) She can’t hash the whole dictionary (H) 1
(I) 500
(J) None of the above
(K) (L)
Q3.3 (2 points) How many times could Mallory hash every word in the dictionary using HS with online computation?
1Keep in mind this is much faster than a real-life slow hash function.
Final Exam Page 6 of 24 CS 161 – Summer 2020
(A) She can’t hash the whole dictionary (D) None of the above
(B) 1 (C) 500
(E) (F)
For each part below, indicate all of the things Mallory can do given the password storage scheme. Assume Mallory knows each scheme. Unless otherwise specified, assume that she can use both offline and online computation
Q3.4 (4 points) Each user’s password is stored as HF(pwd || ‘Bob’).
(G) Learn whether two users have the same password with only online computation
(H) Learn a specific user’s password
(I) Change a user’s password without detec- tion
(J) Learn every user’s password (K) None of the above
(L)
Q3.5 (4 points) Each user’s password is stored as the tuple (HS(pwd || ‘Bob’), Sign(k, HF(pwd))).
(A) Learn whether two users have the same password with only online computation
(B) Learn a specific user’s password
(C) Change a user’s password without detec- tion
(D) Learn every user’s password (E) None of the above
(F)
Q3.6 (4 points) Each user’s password is stored as the tuple (HF(pwd || uname), Sign(k, uname || HF(pwd)))
(G) Learn whether two users have the same password with only online computation
(H) Learn a specific user’s password
(I) Change a user’s password without detec- tion
(J) Learn every user’s password (K) None of the above
(L)
Q3.7 (4 points) Each user’s password is stored as (HS(pwd || uname), Sign(k, HS(pwd))) [Clarification during exam: The expression was missing a leading parenthesis.]
(A) Learn whether two users have the same (B) Learn a specific user’s password password with only online computation
(C) Change a user’s password without detec- Final Exam Page 7 of 24 CS 161 – Summer 2020
tion (E) None of the above
(D) Learn every user’s password
(F)
Q3.8 (3 points) Describe a DoS attack Mallory can launch against Bob’s server if he uses the scheme in Q3.7.
Q3.9 (3 points) Bob decides to add two-factor authentication to the scheme in Q3.7. Does this change your answer to Q3.7?
(A) Yes (B) No (C) (D) (E) (F)
This is the end of Q3. Proceed to Q4 on your answer sheet.
Final Exam Page 8 of 24 CS 161 – Summer 2020
Q4
Forwards, Backwards, Left, and Right (16 points) Consider the following properties. The solid part of each timeline denotes the time frame where messages remain confidential, even after Eve, an on-path eavesdropper, steals a key.
• Forward secrecy: If Eve steals a key, past messages remain confidential.
Eve steals key
• Backward secrecy: If Eve steals a key, future messages remain confidential.
Eve steals key
• Weak forward secrecy: If Eve stops recording messages, then steals a key, any messages Eve recorded before she stopped recording remain confidential.
Eve stops Eve recording steals key
• Weak backward secrecy: If Eve steals a key, then starts recording messages, any messages Eve record remain confidential.
starts steals key recording
Consider the following modified symmetric encryption schemes where Alice and Bob change their encryption key for each message they send. For each scheme, determine which of the given properties is ensured. Assume that all keys are 128 bits long, and no party will send more than one message in a row.
Q4.1 (4 points) Alice and Bob increment their shared key 𝑘 by 1 for each new message, so 𝑘′ = 𝑘 + 1. (A) Forward secrecy (D) Weak backward secrecy
(B) Backward secrecy (E) None of the above
(C) Weak forward secrecy
(F)
Q4.2 (4 points) Alice and Bob’s current shared key is 𝑘. For each new message, the sender generates a small, 8-bit random number 𝑛 and attaches it to the message before encryption. The next message will be encrypted under key 𝑘′ = 𝑘 ⨁ PRG(𝑛)[∶128], where PRG is a secure PRG.
Final Exam Page 9 of 24 CS 161 – Summer 2020
(G) Forward secrecy (J) Weak backward secrecy (H) Backward secrecy (K) None of the above
(I) Weak forward secrecy
(L)
Q4.3 (4 points) Alice and Bob’s current shared key is 𝑘. For each new message, the sender generates a new symmetric key 𝑘′ and attaches it to the message before encryption. The next message will be encrypted under 𝑘′.
(A) Forward secrecy (D) Weak backward secrecy (B) Backward secrecy (E) None of the above
(C) Weak forward secrecy
(F)
Q4.4 (4 points) For each new message, Alice and Bob conduct Diffie-Hellman key exchange to generate a new symmetric key.
(G) Forward secrecy (J) Weak backward secrecy (H) Backward secrecy (K) None of the above
(I) Weak forward secrecy
(L)
This is the end of Q4. Proceed to Q5 on your answer sheet.
Final Exam Page 10 of 24 CS 161 – Summer 2020
Q5 EvanBotOS (25 points) EvanBot is building a new OS and wants to defend against buffer overflow attacks. Bot decides to use cryptography to secure values on the stack.
Assume any cryptography is executed separately and securely by the OS. This means that any crypto- graphic operations do not count as function calls on the program’s stack, and the attacker cannot see the operations being executed. Also, unless otherwise stated, any MACs or hashes generated are stored separately in the OS, not on the stack.
Assume stack canaries are four random bytes (no null byte). Assume the OS has a secret key 𝑘 that is unknown to any attacker.
For each part, mark which scheme is more secure (would defend against more buffer overflow attacks), or if both schemes would defend against the same set of attacks.
[Clarification during exam: For each scheme, unless otherwise specified all memory safety defenses are disabled.]
Q5.1 (3 points) Scheme A: When a function is called, push a random stack canary to the stack. Also, generate a MAC on the canary value using 𝑘. Before the function returns, in addition to checking that the canary is the same, also verify the canary with the MAC.
Scheme B: No cryptography, stack canaries are enabled, WˆX and ASLR are disabled.
(A) Scheme A (C) The same (E) (B) Scheme B (D) (F)
Q5.2 (3 points) Scheme A: When a function is called, encrypt a randomly-generated stack canary using 𝑘. Push the encrypted canary onto the stack. Before the function returns, decrypt the stack canary and verify that it is unchanged.
Scheme B: No cryptography, stack canaries are enabled, WˆX and ASLR are disabled.
(G) Scheme A (I) The same (K) (H) Scheme B (J) (L)
Q5.3 (3 points) Scheme A: When a program is first started, generate a signature on every page of the memory space using 𝑘. If the program tries to execute any instructions in memory, check that the page where the instruction is stored is correctly signed.
Scheme B: No cryptography, WˆX is enabled, stack canaries and ASLR are disabled.
Final Exam
Page 11 of 24
CS 161 – Summer 2020
(A) Scheme A (B) Scheme B
(C) The same (E) (D) (F)
Q5.4 (3 points) Scheme A: When a function is called, using a cryptographic hash 𝐻 , hash the RIP, and push the value of the hash onto the stack. Before the function returns, verify that the RIP still hashes to the same value.
Scheme B: When a function is called, generate a MAC on the RIP using 𝑘, and push the value of the MAC onto the stack. Before the function returns, verify the RIP with the MAC.
Assume that the hash and the MAC are the same length.
(G) Scheme A (I) The same (K)
(H) Scheme B (J) (L)
Q5.5 (5 points) Consider Scheme A from the previous part. Briefly explain how you might create an exploit for Scheme A that overwrites the RIP. Assume you can debug only the vulnerable program with GDB, and you cannot access the OS-level cryptography operations.
(A) (B) (C) (D) (E) (F)
Q5.6 (3points)SchemeA:Whenafunctioniscalled,encrypttheRIPwithaone-timepad,wherethepad is a static value stored in the OS. (The pad value does not change when you rerun the program.) Before the function returns, decrypt the RIP and jump to that location.
Scheme B: No cryptography, stack canaries are enabled, WˆX and ASLR are disabled.
(G) Scheme A (I) The same (K) (H) Scheme B (J) (L)
Q5.7 (5 points) Consider Scheme A from the previous part. In 2-3 sentences, explain how you might create an exploit for Scheme A that overwrites the RIP. Assume you can debug only the vulnerable program with GDB, and you cannot access the OS-level cryptography operations.
(A) (B) (C) (D) (E) (F)
This is the end of Q5. Proceed to Q6 on your answer sheet.
Final Exam Page 12 of 24 CS 161 – Summer 2020
Q6 DNS over TCP (20 points) Standard DNS uses UDP to send all queries and responses. Consider a modified DNS that instead uses TCP for all queries and responses.
Q6.1 (3 points) Which of the following does DNS over TCP guarantee against a man-in-the-middle attacker? Select all that apply.
(A) Confidentiality (C) Authenticity (E)
(B) Integrity (D) None of the above
(F)
Q6.2 (3 points) Compared to standard DNS, does DNS over TCP defend against more attacks, fewer attacks, or the same amount of attacks against an on-path attacker?
(G) More attacks (I) Fewer attacks (K)
(L)
response in DNS over TCP? Assume source port randomization is enabled. Select all that apply. (A) TCP sequence numbers (C) Recursive resolver port (E) DNS NS records
(B) Name server port (D) DNS A records (F) None of the above
Q6.4 (3 points) Is the Kaminsky attack possible on DNS over TCP? Assume source port randomization is disabled.
(G) Yes, because the attacker only needs to guess the DNS Query ID
(H) Yes, but we consider it infeasible for modern attackers
(I) No, because the attacker cannot force the victim to generate a lot of DNS over TCP requests
(J) No, because TCP has integrity guarantees
(K)
(L)
(M)
Q6.5 (3 points) Recall the DoS amplification attack using standard DNS packets. An off-path attacker spoofs many DNS queries with the victim’s IP, and the victim is overwhelmed with DNS responses.
Does this attack still work on DNS over TCP?
(A) Yes, the attack causes the victim to consume more bandwidth than the standard DNS attack
(H) Same amount of attacks (J)
Q6.3 (5 points) What fields does an off-path attacker not know and need to guess correctly to spoof a
Final Exam Page 13 of 24 CS 161 – Summer 2020
(B) Yes, the attack causes the victim to consume less bandwidth than the standard DNS attack (C) No, because the DNS responses no longer provide enough amplification
(D) No, because the attacker cannot force the server to send DNS responses to the victim
(E)
(F)
Q6.6 (3 points) What type of off-path DoS attack from lecture is DNS over TCP vulnerable to, but standard DNS not vulnerable to? Answer in five words or fewer.
Final Exam Page 14 of 24 CS 161 – Summer 2020
Q7 I (T)C(P) You (26 points) EvanBot builds a new course feature that sends announcements to students over TCP. To receive an- nouncements, a student initiates a TCP connection with the server. The server sends the announcements and terminates the connection.
Q7.1 (3 points) Assuming that no adversaries are present, which of the following does communication over a TCP connection guarantee? Select all that apply.
(A) That both the server and client can detect if a particular announcement needs to be resent (B) That different announcements are delivered in the same order they were sent in
(C) That announcements are delivered using the most efficient path through the internet
(D) None of the above
(E) (F)
Q7.2 (3 points) When only an on-path adversary is present, which of the following does communication over a TCP connection guarantee? Select all that apply.
(G) That both the server and client can detect if a particular announcement needs to be resent (H) That different announcements are delivered in the same order they were sent in
(I) That announcements are delivered using the most efficient path through the internet
(J) None of the above
(K) (L)
Q7.3 (3 points) Suppose that EvanBot instead sends announcements over UDP. Assuming that no adversaries are present, which of the following might happen? Select all that apply.
(A) Students might not receive some announcements
(B) Students might receive the announcements more quickly
(C) The server might not detect some errors which it would have had it been using TCP
(D) None of the above
(E)
EvanBot realizes that the server is sending messages to the student, but the student only responds with ACKs and never sends any messages after the initial handshake. They design a Half TCP protocol which provides TCP’s properties for communications from the server to the student, but not for
Final Exam Page 15 of 24 CS 161 – Summer 2020
communications from the student to the server. This is accomplished using a modified version of the standard three step handshake pictured below.
Student Server
Q7.4 (5 points) Some sequence numbers are no longer necessary in Half TCP. Which fields do not need to be transmitted? Select all that apply.
(G) The sequence number in the SYN packet
(H) The sequence number in the SYN-ACK packet
(I) The ACK number in the SYN-ACK packet
(J) The sequence number in the ACK packet (K) The ACK number in the ACK packet
(L) None of the above
Q7.5 (3 points) Which of these are consequences of moving from TCP to Half TCP for this application? Select all that apply.
(A) The student will no longer receive announcements in the correct order (B) The server will not have to keep track of as much state
(C) The student will not have to keep track of as much state
(D) None of the above
(E) (F)
The 161 staff likes security and decides to use TLS over Half TCP. Assume that the staff server has a valid certificate for their public key.
For each different adversary below, select all attacks which become easier when running TLS over Half TCP compared to normal TCP.
Q7.6 (3 points) Off-path adversary (G) RST Injection Attack
(H) Interfere with a TLS handshake to learn the master key
(I) Replay an encrypted command from a previous TLS connection
Final Exam Page 16 of 24 CS 161 – Summer 2020
SYN-ACK
SYN
ACK
(J) None of the above
(K) (L)
Q7.7 (3 points) On-path adversary (A) RST Injection Attack
(B) Interfere with a TLS handshake to learn the master key
(C) Replay an encrypted command from a previous TLS connection
(D) None of the above
(E)
(F)
Q7.8 (3 points) Man-in-the-middle adversary (G) RST Injection Attack
(H) Interfere with a TLS handshake to learn the master key
(I) Replay an encrypted command from a previous TLS connection (J) None of the above
(K)
(L)
This is the end of Q7. Proceed to Q8 on your answer sheet.
Final Exam Page 17 of 24 CS 161 – Summer 2020
Q8 Election Security (23 points) The 2020 elections are coming up, and the United States Government has tasked you with securing the nation’s voting machines!
Assume election headquarters are in a top-secret, undisclosed site. All incoming network requests pass through a network-based intrusion detection system (NIDS), as well as a firewall. Outside users can only access the server with HTTPS.
Q8.1 (3 points) Which of these attacks are always preventable in this setup? Assume the attacker is on-path. Select all that apply.
(A) RST Injection Attack (D) None of the Above (B) SQL Injection Attack (E)
(C) Reflected XSS Attack
(F)
Q8.2 (3 points) Which of these attacks are always preventable in this setup? Assume the attacker is on-path. Select all that apply.
(G) SYN Flooding Attack (J) None of the Above (H) DNS Spoofing Attack (K)
(I) DDoS Attack
(L)
Q8.3 (3 points) An attacker injects malicious code on a server inside the election headquarters that changes all submitted votes to one candidate. Which detection system is best suited to defend against this attacker?
(A) HIDS (C) Firewall (E)
(B) NIDS (D)
(F)
Q8.4 (3 points) An attacker realizes that the ballot boxes are running a vulnerable version of Linux, and uses a previously-known buffer overflow exploit. Which detection method is best suited to defend against this attacker?
(G) Anomaly-Based Detection (H) Signature-Based Detection (I) Specification-Based Detection
(J) Behavioral-Based Detection
(K) (L)
Q8.5 (5points)Ben,acomputerscientistatthetop-secretsite,hasaHIDSinstalledonhisworklaptop.He decides to sign into his personal email account, claiming that HTTPS will protect the government from seeing his emails. Is he correct? Justify your answer in 1–2 sentences.
Final Exam Page 18 of 24 CS 161 – Summer 2020
(A) Yes (D) (B) No (E) (C)
Q8.6 (3 points) You’re discovered that an attacker has managed to connect to a service running inside our network from IP Address 5.6.7.8 and is in the process of performing a DoS attack! Write a stateful firewall rule to block all traffic originating from the attacker. Our service is running on IP address 1.2.3.4 (port 443).
Q8.7 (3 points) You’ve received a tip that attackers have devised a plan to spoof ballot submissions. Here’s the information that your source provides:
• 20 out of every 100 submissions are malicious.
• The cost to investigate an incorrectly flagged submission is $5. • The cost of letting a spoofed submission through is $50.
You’re offered two different intrusion detection systems. System A offers a false positive rate of 10% and a false negative rate of 25%. System B offers a false positive rate of 50% and a false negative rate of 5%. Which do you choose?
(A) System A
(B) System B
(C) Not enough information
(D) Either system
(E) (F)
This is the end of Q8. Proceed to Q9 on your answer sheet.
Final Exam Page 19 of 24 CS 161 – Summer 2020
Q9 Cookie Debugger (37 points) EvanBot is adding a feature on the CS161 course website that lets students log in and view their grades. However, Bot forgot to remove a debugging feature–if anyone visits cs161.org/debug, the webpage will display all the cookies sent to the server.
Assume the cs161.org/debug page does not have any other functionality. Assume anyone can create an account on the website. Each subpart is independent.
Q9.1 (3 points) Which of the following URLs have the same origin as http://cs161.org/debug according to the same-origin policy?
(A) http://cs161.org/ (D) None of the above (B) http://cs161.org:8081/debug (E)
(F)
https://cs161.org/debug? Assume the client’s origin is https://cs161.org. (G) Domain = cs161.org, Path = /, Secure
(H) Domain = cs161.org, Path = /, HttpOnly
(I) Domain = debug.cs161.org, Path = /, Secure, HttpOnly
(J) Domain = cs161.org, Path = /debug
(K) Domain = cs161.org, Path = /, SameSite=strict
(L) None of the above
Q9.3 (3points)Supposeyousetacookietest= with valid attributes, and load https://cs161.org/debug. A pop-up that says This exam is hard! appears in your browser. Have you successfully found a server vulnerability?
[Clarification during exam: The pop-up had a typo in it.] (A) Yes, you found an XSS vulnerability
(B) Yes, you found a CSRF vulnerability
(C) No, because you have not changed any state on the server side
(D) No, because the JavaScript does not run with the origin of cs161.org (E)
(F)
(C) https://cs161.org/debug
Q9.2 (5 points) Which of the following cookies would be displayed when visiting
Final Exam
Page 20 of 24
CS 161 – Summer 2020
Q9.4 (5 points) Consider a modification to the course website. Before rendering any page, the server searches for every pair of tags and removes the tags and everything between the tags.
Can you still cause JavaScript to run in your browser using