1. MSS*: Chapter 3 Shopping carts & Payment gateways * McClure, Stuart, Saumil Shah, and Shreeraj Shah. Web Hacking: attacks and defense. Addison Wesley. 2003.

2. Web Security2 Evolution of Shopping  Farmers’ market  Store shopping  Supermarket  Catalog shopping   On-line shopping: combines the experience of both in-store shopping and catalog shopping + Web-based applications offer more interactivity and multimedia presentation than a printed catalog. + Web-based applications typically provide searching capabilities, which are not available in the traditional in-store shopping or catalog shopping. + Web-based applications can be tailored to different shopping styles.  “no-pressure” shopping experience Q: Are there any drawbacks or specific requirements?

3. Web Security3 Evolution of Shopping  What are the factors that may drive potential customers away from web-based shopping? - Is concern over security real? - Ease of use - Anything else?

4. Web Security4 Traditional retail business

5. Web Security5 computerized retail business

6. Web Security6 E-commerce model

7. Web Security7 E-commerce model  Characteristics:  A web portal represents the company’s web identity.  The portal serves as an entry into the electronic store.  A web site hosting multiple applications that interact with an array of servers (other web sites, financial processing, transaction processing, back-end databases, etc.)  Q: What makes an e-commerce different from a computerized retail business?

8. Web Security8 E-commerce model  An exercise: The e-commerce model diagram is not really an ER diagram. Modify/refine the model and turn it into a real ER or EER diagram.  Hint: Add relationships  Part of your project: preliminary design

9. Web Security9 E-commerce model  The need for peer-to-peer communications  An extranet is an inter-network linking different companies’ internal network.  What are the requirements of an inter- company web-based application?  Trust!  Authentication  Non-repudiation  Anything else?   Web-services

10. Web Security10 Web Services  Multi-party Web services

11. Web Security11 E-shopping cart systems  Uses of an e-shopping cart:  Temporarily stores what the customer has picked;  Provides a summary of the items (prices, S&H cost, etc.) in the cart when needed (per the customer’s request or at the time of checkout);  The customer may replace items in the cart until the transaction is finalized.

12. Web Security12 E-shopping cart systems  The e-shopping cart application forms the heart of the e-shopping application.  It binds the customer, the product catalog, the inventory system, and the payment system together.

13. Web Security13 E-shopping cart systems  Implementation requirements:  Accuracy: It correctly records what the customer has picked and changed.  Flexibility: It allows the customer to freely replace items in the cart.  Integration: with the product catalog, the inventory system, and the payment gateway.  Integrity: No tampering of the cart’s content, whether by malicious 3 rd party or programming errors (e.g., across two different carts)

14. Web Security14 E-shopping cart systems  Components:  Session management  Product catalog application  Payment gateway  Back-end databases (e.g., product inventory, customer information)

15. Web Security15 E-shopping cart systems  Sample problems with insecure shopping carts:  Remote command execution over HTTP  Unprotected sensitive information retrievable via HTTP  Improper or no ‘input sanitization’  results in remote command execution  Modified hidden HTML form fields

16. Web Security16 Payment processing system  The checkout process: 1. Finalize the order 2. Choose method of payment 3. Verify of the chosen payment method 4. Log all transactions 5. Fulfill the order 6. Generate a receipt

17. Web Security17 Payment processing system  The payment gateway interface: Figure next page  Interacts with the order information page, the back- end databases, and the payment gateway  Provided by the institution that hosts the payment gateway (e.g., Verisign or PayPal)  Integrated into the e-shopping application and invoked by the electronic storefront app.  SSL encrypted interface with the payment gateway (Q: how about i/f with other components?)

18. Web Security18 Payment processing system

19. Web Security19 Payment processing system  Payment system implementation issues:  Never trust “sensitive” data passed from the client side. Why?  Do not store temporary info within the Web server’s document folder. Why?  Temporary info should be destroyed after its use.  Use SSL to encrypt communication links. Why?  Carefully protect user profiles!