Download
mss chapter 3 shopping carts payment gateways n.
Skip this Video
Loading SlideShow in 5 Seconds..
MSS*: Chapter 3 Shopping carts & Payment gateways PowerPoint Presentation
Download Presentation
MSS*: Chapter 3 Shopping carts & Payment gateways

MSS*: Chapter 3 Shopping carts & Payment gateways

302 Vues Download Presentation
Télécharger la présentation

MSS*: Chapter 3 Shopping carts & Payment gateways

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. MSS*: Chapter 3Shopping carts & Payment gateways * McClure, Stuart, Saumil Shah, and Shreeraj Shah. Web Hacking: attacks and defense. Addison Wesley. 2003.

  2. Evolution of Shopping • Farmers’ market  Store shopping  Supermarket  Catalog shopping •  On-line shopping: combines the experience of both in-store shopping and catalog shopping + Web-based applications offer more interactivity and multimedia presentation than a printed catalog. + Web-based applications typically provide searching capabilities, which are not available in the traditional in-store shopping or catalog shopping. + Web-based applications can be tailored to different shopping styles.  “no-pressure” shopping experience Q: Are there any drawbacks or specific requirements? Web Security

  3. Evolution of Shopping • What are the factors that may drive potential customers away from web-based shopping? • Is concern over security real? • Ease of use • Anything else? Web Security

  4. Traditional retail business Web Security

  5. computerized retail business Web Security

  6. E-commerce model Web Security

  7. E-commerce model • Characteristics: • A web portal represents the company’s web identity. • The portal serves as an entry into the electronic store. • A web site hosting multiple applications that interact with an array of servers (other web sites, financial processing, transaction processing, back-end databases, etc.) • Q: What makes an e-commerce different from a computerized retail business? Web Security

  8. E-commerce model • An exercise: The e-commerce model diagram is not really an ER diagram. Modify/refine the model and turn it into a real ER or EER diagram. • Hint: Add relationships • Part of your project: preliminary design Web Security

  9. E-commerce model • The need for peer-to-peer communications • An extranet is an inter-network linking different companies’ internal network. • What are the requirements of an inter-company web-based application? • Trust! • Authentication • Non-repudiation • Anything else? •  Web-services Web Security

  10. Web Services • Multi-party Web services Web Security

  11. E-shopping cart systems • Uses of an e-shopping cart: • Temporarily stores what the customer has picked; • Provides a summary of the items (prices, S&H cost, etc.) in the cart when needed (per the customer’s request or at the time of checkout); • The customer may replace items in the cart until the transaction is finalized. Web Security

  12. E-shopping cart systems • The e-shopping cart application forms the heart of the e-shopping application. • It binds the customer, the product catalog, the inventory system, and the payment system together. Web Security

  13. E-shopping cart systems • Implementation requirements: • Accuracy: It correctly records what the customer has picked and changed. • Flexibility: It allows the customer to freely replace items in the cart. • Integration: with the product catalog, the inventory system, and the payment gateway. • Integrity: No tampering of the cart’s content, whether by malicious 3rd party or programming errors (e.g., across two different carts) Web Security

  14. E-shopping cart systems • Components: • Session management • Product catalog application • Payment gateway • Back-end databases (e.g., product inventory, customer information) Web Security

  15. E-shopping cart systems • Sample problems with insecure shopping carts: • Remote command execution over HTTP • Unprotected sensitive information retrievable via HTTP • Improper or no ‘input sanitization’  results in remote command execution • Modified hidden HTML form fields Web Security

  16. Payment processing system • The checkout process: • Finalize the order • Choose method of payment • Verify of the chosen payment method • Log all transactions • Fulfill the order • Generate a receipt Web Security

  17. Payment processing system • The payment gateway interface: Figure next page • Interacts with the order information page, the back-end databases, and the payment gateway • Provided by the institution that hosts the payment gateway (e.g., Verisign or PayPal) • Integrated into the e-shopping application and invoked by the electronic storefront app. • SSL encrypted interface with the payment gateway (Q: how about i/f with other components?) Web Security

  18. Payment processing system Web Security

  19. Payment processing system • Payment system implementation issues: • Never trust “sensitive” data passed from the client side. Why? • Do not store temporary info within the Web server’s document folder. Why? • Temporary info should be destroyed after its use. • Use SSL to encrypt communication links. Why? • Carefully protect user profiles! Web Security