170 likes | 415 Views
MSS: Chapter 3 Shopping carts & Payment gateways Evolution of Shopping Farmers’ market Store shopping Supermarket Catalog shopping On-line shopping: combines the experience of both in-store shopping and catalog shopping
E N D
MSS: Chapter 3Shopping carts & Payment gateways csci5931 Web Security
Evolution of Shopping • Farmers’ market Store shopping Supermarket Catalog shopping • On-line shopping: combines the experience of both in-store shopping and catalog shopping + Web-based applications offer more interactivity and multimedia presentation than a printed catalog. + Web-based applications typically provide searching capabilities, which are not available in the traditional in-store shopping or catalog shopping. + Web-based applications can be tailored to different shopping styles. “no-pressure” shopping experience Q: Are there any drawbacks or specific requirements? csci5931 Web Security
Evolution of Shopping • What are the factors that may drive potential customers away from web-based shopping? • Is concern over security real? • Ease of use • Anything else? csci5931 Web Security
E-commerce model • c.f.,: traditional retail business (Fig. 3-1) • c.f.,: computerized retail business (Fig. 3-2) • Figure 3-3 (p.97): e-commerce model • Characteristics: • A web portal represents the company’s web identity. • The portal serves as an entry into the electronic store. • A web site hosting multiple applications that interact with an array of servers (other web sites, financial processing, transaction processing, back-end databases, etc.) • Q: What makes an e-commerce different from a computerized retail business? csci5931 Web Security
E-commerce model • An exercise: The e-commerce model on page 97 is not really an ER diagram. Modify/refine the model and turn it into a real ER or EER diagram. • Hint: Add relationships • Part of your project: preliminary design csci5931 Web Security
E-commerce model • The need for peer-to-peer communications • An extranet is an inter-network linking different companies’ internal network. • What are the requirements of an inter-company web-based application? • Trust! • Authentication • Non-repudiation • Anything else? • Web-services csci5931 Web Security
Web Services • Multi-party Web services (see the announcement on 1/22) csci5931 Web Security
Web Services • An excellent survey of web security technologies and web service background information • Part of assignment 2 • May be used as this semester’s projects or a thesis csci5931 Web Security
E-shopping cart systems • Uses of an e-shopping cart: • Temporarily stores what the customer has picked; • Provides a summary of the items (prices, S&H cost, etc.) in the cart when needed (per the customer’s request or at the time of checkout); • The customer may replace items in the cart until the transaction is finalized. csci5931 Web Security
E-shopping cart systems • The e-shopping cart application forms the heart of the e-shopping application. • It binds the customer, the product catalog, the inventory system, and the payment system together. (See Fig. 3-7, p.103.) csci5931 Web Security
E-shopping cart systems • Implementation requirements: • Accuracy: It correctly records what the customer has picked and changed. • Flexibility: It allows the customer to freely replace items in the cart. • Integration: with the product catalog, the inventory system, and the payment gateway. • Integrity: No tampering of the cart’s content, whether by malicious 3rd party or programming errors (e.g., across two different carts) csci5931 Web Security
E-shopping cart systems • Components: • Session management • Product catalog application • Payment gateway • Back-end databases (e.g., product inventory, customer information) • See Fig. 3-7 (p.103) and Fig. 3-9 (p.109) csci5931 Web Security
E-shopping cart systems • Sample problems with insecure shopping carts: • Remote command execution over HTTP • Unprotected sensitive information retrievable via HTTP • Improper or no ‘input sanitization’ results in remote command execution • Modified hidden HTML form fields csci5931 Web Security
Payment processing system • The checkout process: • Finalize the order • Choose method of payment • Verify of the chosen payment method • Log all transactions • Fulfill the order • Generate a receipt csci5931 Web Security
Payment processing system • The payment gateway interface: • See Fig. 3-9 • Interacts with the order information page, the back-end databases, and the payment gateway • Provided by the institution that hosts the payment gateway (e.g., Verisign or PayPal) • Integrated into the e-shopping application and invoked by the electronic storefront app. • SSL encrypted interface with the payment gateway (Q: how about i/f with other components?) csci5931 Web Security
Payment processing system • Payment system implementation issues: • Never trust “sensitive” data passed from the client side. Why? • Do not store temporary info within the Web server’s document folder. Why? • Temporary info should be destroyed after its use. • Use SSL to encrypt communication links. Why? • Carefully protect user profiles! csci5931 Web Security
Next • Java security model (GS: Ch1, 2, 3) csci5931 Web Security