Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Published byLewis Eaton Modified over 9 years ago

Similar presentations

Presentation on theme: "Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole."— Presentation transcript:

1 Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole

2  Web-based interface  Documents stored, shared and accessed securely  Role-based Access Control  System log to track activity System Overview

3  Client: Modern web browser (no IE6)  Web Server: Windows Server 2008, IIS 7  Database Server: SQL Server 2008 R2  Framework: ASP.NET  Language: C#  Architecture: MVC (model view controller) Operating Environment

4 MVC Image taken from http://www.asp.net/mvc/whatisaspmvchttp://www.asp.net/mvc/whatisaspmvc

5  User Account Management  Xinyi Dong  Matthew Downs  Document Management  Joshua Ferguson  Sayan Kole  Auditing and Logging  Sriram Gopinath Task Assignment

6 Mostly Functional Bugs And Few Security Vulnerability Vulnerabilities Identified

7 User log in and register Valid  ?? Invalid  No password recovery feature implemented.  Administrator is able to view Username and User password.  Inappropriate error message given to the user- Input for username is inappropriate, but shows password doesn't match.  After registration, it logs me in directly without admin approval. User Management

8 Function and security vulnerability Valid  System log information, document download link, share doc page can be obtained by any user by using the back link of the browser after the admin has logged out.(browser dependent)  UserID is displayed on the screen. Invalid  Session remains valid when you copy the url link from one browser to another type of browser..  Sql injection takes place. No input validation.  Email not validated.  An attacker can purposely enter wrong passwords for the admin to lock the admin out of the site.  Username "null" reflected in page shows the lack of proper validation User Management

9 Account Management Valid  ?? Invalid  In the admin section, there is no approval/denial of Users functionality present.  There is not limit to what can be entered in the request box, could throw null or expand the website size  Able to be a manager/employee to multiple departments  It will make random users(??) User Management

10 Share and Update Documents with Users Valid  Incorrect access control policy, the employee can see Manager’s document without even sharing it.  Listing of shared documents incorrect.  Sharing documents among users in different department not working  The document is not able to be checked in after it was checked out.  Sharing by assigning privileges absent  Interface doesn’t show any difference between shared documents and current documents.  Updating document you can update original document with any other document. Invalid  NA Document Management

11 Upload/Download Documents, Encryption and Decryption Valid  If an user clicked download button more than twice even they fails to upload the documents, the error shows up Un- Encrypted Files Can’t be Read.  All files require keyword to decrypt key  If no file given then goes to blank page  While editing a file, when the encryption check box is checked and upload is pressed, an exception occurs which is not handled.  Delete file after checkout  When the decryption key provided by the user is very long, the system crashes. Document Management

12 Upload/Download Documents, Encryption and Decryption Invalid  Can upload same document multiple times  Upload not happening, just a blank screen is coming without any error message.  When the user tries to decrypt an encrypted file, the system does not check if the user provided the right encryption key.  Every uploaded file is displayed twice even though it is uploaded only once. Document Management

13 Valid  An user can check in/ check out any document with specific file ID without any permission.  Upload not happening, just a blank screen is coming without any error message. Document Access

14 Valid  Can get the document download link by the back button of browser (Browser dependent)  Expose document ID in URL Solution:  Proper Session Management  Using the Document id as a form value Security issues with documents

15 Function and security vulnerability Valid  Dates are wrong Invalid  Captcha produces letters which cannot be entered  Brute force protection is set up for password guessing, but it can backfire for the admin. An attacker can purposely enter wrong passwords for the admin to lock the admin out of the site. Others

16 Questions

Download ppt "Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole."

Similar presentations

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
Medicaid Alternative Benefit Plans (ABP) Processing

Medicaid Alternative Benefit Plans (ABP) Processing
Getting Started. Edline Web Site Requirements Provide Students and Parents With: 1.A Brief Course Description 2.Your Email Address 3.Course Syllabus 4.Major.

Getting Started. Edline Web Site Requirements Provide Students and Parents With: 1.A Brief Course Description 2.Your Address 3.Course Syllabus 4.Major.
Wisconsin Department of Public Instruction

Wisconsin Department of Public Instruction
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Jillian Gregory, REI Systems Department of Health and Human Services

Jillian Gregory, REI Systems Department of Health and Human Services
Center Accreditation Online System

Center Accreditation Online System
BlackBoard Online Submission Annual Assessment Updates 2010-2011.

BlackBoard Online Submission Annual Assessment Updates
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Accounting & Billing System for the WEB Centre GDP 19 Donna Crawford (dc899) Chris O’Neill (ckjon101) Amit Shah (ams401) David Newman (drn101) Supervisor.

Accounting & Billing System for the WEB Centre GDP 19 Donna Crawford (dc899) Chris O’Neill (ckjon101) Amit Shah (ams401) David Newman (drn101) Supervisor.
Downloading and Installing AutoCAD Architecture 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the software.

Downloading and Installing AutoCAD Architecture 2015 This is a 4 step process 1.Register with the Autodesk Student Community 2.Downloading the software.
DePaul Bears Try Your Luck!. Why buy this product? Approximately 1,000,000 cell phone users Approximately 2,000,000 or more people play the lottery New.

DePaul Bears Try Your Luck!. Why buy this product? Approximately 1,000,000 cell phone users Approximately 2,000,000 or more people play the lottery New.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
New School Websites Teacher Pages. Visit the SCUSD Website for videos tutorials: www.scusd.edu/website-training-teachers For more information.

New School Websites Teacher Pages. Visit the SCUSD Website for videos tutorials: For more information.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.

Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.
Www.vanschools.org Website Tutorial. www.vanschools.org Administration  Log on by clicking Login on the footer of almost any page  Your Username is.

Website Tutorial. Administration  Log on by clicking Login on the footer of almost any page  Your Username is.
Introduction: This VCSS training session has been developed to provide : I.A quick overview of VCSS II.A walk through of the main VCSS features III.Solutions.

Introduction: This VCSS training session has been developed to provide : I.A quick overview of VCSS II.A walk through of the main VCSS features III.Solutions.
Employee Self Service (ESS) Version 2.04.0.0. Employee Self Service  access from any computer  view their elected withholding, earnings summary, check.

Employee Self Service (ESS) Version Employee Self Service  access from any computer  view their elected withholding, earnings summary, check.
T U T O R I A L  2009 Pearson Education, Inc. All rights reserved. 1 28 Bookstore Web Application Introducing Visual Web Developer 2008 Express and the.

T U T O R I A L  2009 Pearson Education, Inc. All rights reserved Bookstore Web Application Introducing Visual Web Developer 2008 Express and the.

Similar presentations

Ads by Google