1 / 19

MSS*: Chapter 3 Shopping carts & Payment gateways

MSS*: Chapter 3 Shopping carts & Payment gateways. * McClure, Stuart, Saumil Shah, and Shreeraj Shah. Web Hacking: attacks and defense . Addison Wesley. 2003. Evolution of Shopping. Farmers’ market  Store shopping  Supermarket  Catalog shopping

talisa
Download Presentation

MSS*: Chapter 3 Shopping carts & Payment gateways

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MSS*: Chapter 3Shopping carts & Payment gateways * McClure, Stuart, Saumil Shah, and Shreeraj Shah. Web Hacking: attacks and defense. Addison Wesley. 2003.

  2. Evolution of Shopping • Farmers’ market  Store shopping  Supermarket  Catalog shopping •  On-line shopping: combines the experience of both in-store shopping and catalog shopping + Web-based applications offer more interactivity and multimedia presentation than a printed catalog. + Web-based applications typically provide searching capabilities, which are not available in the traditional in-store shopping or catalog shopping. + Web-based applications can be tailored to different shopping styles.  “no-pressure” shopping experience Q: Are there any drawbacks or specific requirements? Web Security

  3. Evolution of Shopping • What are the factors that may drive potential customers away from web-based shopping? • Is concern over security real? • Ease of use • Anything else? Web Security

  4. Traditional retail business Web Security

  5. computerized retail business Web Security

  6. E-commerce model Web Security

  7. E-commerce model • Characteristics: • A web portal represents the company’s web identity. • The portal serves as an entry into the electronic store. • A web site hosting multiple applications that interact with an array of servers (other web sites, financial processing, transaction processing, back-end databases, etc.) • Q: What makes an e-commerce different from a computerized retail business? Web Security

  8. E-commerce model • An exercise: The e-commerce model diagram is not really an ER diagram. Modify/refine the model and turn it into a real ER or EER diagram. • Hint: Add relationships • Part of your project: preliminary design Web Security

  9. E-commerce model • The need for peer-to-peer communications • An extranet is an inter-network linking different companies’ internal network. • What are the requirements of an inter-company web-based application? • Trust! • Authentication • Non-repudiation • Anything else? •  Web-services Web Security

  10. Web Services • Multi-party Web services Web Security

  11. E-shopping cart systems • Uses of an e-shopping cart: • Temporarily stores what the customer has picked; • Provides a summary of the items (prices, S&H cost, etc.) in the cart when needed (per the customer’s request or at the time of checkout); • The customer may replace items in the cart until the transaction is finalized. Web Security

  12. E-shopping cart systems • The e-shopping cart application forms the heart of the e-shopping application. • It binds the customer, the product catalog, the inventory system, and the payment system together. Web Security

  13. E-shopping cart systems • Implementation requirements: • Accuracy: It correctly records what the customer has picked and changed. • Flexibility: It allows the customer to freely replace items in the cart. • Integration: with the product catalog, the inventory system, and the payment gateway. • Integrity: No tampering of the cart’s content, whether by malicious 3rd party or programming errors (e.g., across two different carts) Web Security

  14. E-shopping cart systems • Components: • Session management • Product catalog application • Payment gateway • Back-end databases (e.g., product inventory, customer information) Web Security

  15. E-shopping cart systems • Sample problems with insecure shopping carts: • Remote command execution over HTTP • Unprotected sensitive information retrievable via HTTP • Improper or no ‘input sanitization’  results in remote command execution • Modified hidden HTML form fields Web Security

  16. Payment processing system • The checkout process: • Finalize the order • Choose method of payment • Verify of the chosen payment method • Log all transactions • Fulfill the order • Generate a receipt Web Security

  17. Payment processing system • The payment gateway interface: Figure next page • Interacts with the order information page, the back-end databases, and the payment gateway • Provided by the institution that hosts the payment gateway (e.g., Verisign or PayPal) • Integrated into the e-shopping application and invoked by the electronic storefront app. • SSL encrypted interface with the payment gateway (Q: how about i/f with other components?) Web Security

  18. Payment processing system Web Security

  19. Payment processing system • Payment system implementation issues: • Never trust “sensitive” data passed from the client side. Why? • Do not store temporary info within the Web server’s document folder. Why? • Temporary info should be destroyed after its use. • Use SSL to encrypt communication links. Why? • Carefully protect user profiles! Web Security

More Related