Which listed statements are true

$$ WebAuthn provides stronger protection against phishing attacks compared to traditional username and password authentication.

$$ Web fingerprinting is based solely on the User$-$Agent header sent by a browser.

$$ Attacking a web service may allow hackers to install ransomware.

$$ Cross$-$site request forgery $($CSRF$)$ attacks can be prevented by using unique tokens for each request.

Which of the following listed statements are true

$$ Reflected XSS attacks occur when a malicious script is injected into a web application and kept in a database for example waiting for the user to load the script by using the web site in his browser.

$$ Self$-$signed SSL$/$TLS certificates can still provide encryption for the data transmitted between a user's web browser and the website, lacking the trust and confidence provided by a certificate from a trusted third party.

$$ Cross$-$Site Request Forgery attacks are not considered a significant threat as they are difficult to execute and rarely result in actual harm.

$$ The PostMessage API is limited to same$-$domain communication and cannot be used to bypass the Same Origin Policy.

Which of following listed statements are true

$$ HTTPS protects against man$-$in$-$the$-$middle attacks even if the attacker is able to obtain a valid SSL certificate for the domain.

$$ Fingerprinting cannot be used to track users across different websites and therefore is not an adequate technique to build a profile of their online behavior.

$$ Session tokens should be stored either in the client's cookie or in the URL.

$$ Enabling directory listing on a local HTTP server can expose sensitive information to potential attackers.

Which of the below statements on web applications security are true

Web fingerprinting is an illegal operation and can only be performed by law$-$enforcing agencies.

The Same Origin Policy is a security mechanism in web browsers that restricts the access of scripts to resources from a different origin $($e$.$g$.$ a different domain, port or protocol$).$

Phishing attacks are most effective when they are able to steal the user$$s login credentials for a specific account.

As the same$-$origin policy is based on the IP and not on the domain name it is a good security measure against the DNS rebinding attacks.