This assessment is relevant to the following Learning Outcomes:
Explain the range of threats to e-commerce security.
Explain how cryptography can be, and is, used to achieve security.
Describe the different standards in use for secure electronic commerce, such as certificates, MACs, etc.
Describe the different protocols in use for secure electronic commerce, such as SSL / TLS.
Q1. Security Attacks on E-Commerce Websites
Alice owns a computer store in Melbourne city. In order to increase the sales, she has developed an E-Commerce application for her computer store. Some of the well-known attacks on E-commerce websites are as follows:
Cross-Site Scripting (XSS)
SQL injections
Hidden field manipulation
Fishing Attack
Cookie poisoning
Web scraping
Layer 7 DoS attacks
Parameter tampering
Buffer overflow
Backdoor or Debug options
Stealth commanding
Forced browsing
Third-party misconfigurations
Alice realizes that the E-Commerce application must be secured before it becomes online. From that realization, she hires you and your team as a security consultant to identify the security risks of her developed E-Commerce application.
Create an E-commerce website (with a database as back-end and other necessary tools such as HTML, PHP, Javascript, CSS files etc.) for yourself to demonstrate the chosen attacks. However, for the sake of convenience, sample code of Alice’s E-Commerce application (includes HTML, PHP, JavaScript, and CSS source files) and the database (as SQL file) are uploaded in the CANVAS under the Assignment-1 home page. You should add or edit pages to whenever required.
Create a group of 3 people. Then, you are required to configure Alice’s E-Commerce application in your personal computer or any free websites (where you can host your website) using the knowledge you have learned from Tutorials 1 to 4.
Once you have configured the application, you are required to demonstrate at least three types of attacks that can be performed on Alice’s E-Commerce application. For each of the attack, you need to do the followings:
a) Write down all the necessary steps to launch each attack with screenshots.
b) Record the steps in a video and post it in the CANVAS or YouTube (as a private video). Provide the link. You should not share the link of the video any of your peer groups.
Provide the above items mentioned in (a) and (b) as a group.
Q2. Securing E-Commerce Website from spam and abuse
In the E-Commerce application that has been provided in the CANVAS in relation to Q1, only registered users should be authorized to login to the Ecommerce application and trade. A registered user can be either a seller or buyer who needs to create a user account. It is possible that several fake users are created by human attackers or software bots for hampering the operation of the E-Commerce application. To protect the E-Commerce application from spam and abuse, Alice requests you to integrate CAPTCHA in her E-Commerce application.
Considering the security strength of Google’s reCAPTCHA service, you have decided to integrate it in Alice’s application.
a) From the knowledge you have learnt in Tutorial, implement Google’s reCAPTCHA version 2:
i. Design a form similar to the one given in Figure-2.1 to create user account with Google’s reCAPTCHA version 2.
ii. Show step by step processes, with appropriate code segments and screenshots, how Google’s reCAPTCHA version 2 can be applied in the E-Commerce application to prevent creating fake user accounts. Also, record the steps in a video and post it in the CANVAS or YouTube (as a private video) and provide the link. You should not share the link of the video any of your peer groups.
Expected User Registration Page enabled with Google’s reCAPTCHA version 2
b) You have found that Google has a new version of its reCAPTCHA which is reCAPTCHA version 3. When you informed Alice about the reCAPTCHA version 3, she is convinced that reCAPTCHA version 3 is better.
To make Alice happy:
i. Design a form similar to the one shown in Figure-2.2 to create user accounts with Google’s reCAPTCHA version 3.
ii. Show step by step processes, with appropriate code segments and screenshots, how Google’s reCAPTCHA version 3 can be applied in the E-Commerce application to prevent creating fake user accounts. Also, record the steps in a video and post it in the CANVAS or YouTube (as a private video) and provide the link. You should not share the link of the video any of your peer groups.
iii. What are the advantages of using reCAPTCHA version 3?
User Registration Page enables with Google’s reCAPTCHA version 3
Q3. Simple Multi-Factor Authentication
Once user accounts have been created, only valid users should be allowed to login and trade using Alice’s E-Commerce application. However, attackers can still compromise the login system with the aid some sophisticated software. So, you have decided to integrate the multi-factor authentication in Alice’s E-Commerce application.
Develop an Email-based multi-factor authentication for Alice’s E-Commerce application that has the following requirements. Also, record the steps in a video and post it in the CANVAS or YouTube (as a private video) and provide the link. You should not share the link of the video any of your peer groups.
Requirements:
i. Create a simple login form as shown in Figure. When a user provides a valid email (your RMIT student email) and password (e.g. 1234), the user should receive a 6-digit random number in his/her email address as shown in Figure and the page to be shown as presented in Figure.
ii. Once the verification code is provided in the form shown in Figure, the code should be verified, and the Success Page is shown (see Figure). Otherwise, the Failure Page is shown (see Figure).
Login Form for Email-based Two Factor Authentication
Email containing the 6-digit Two Factor Authentication code
Form to Enter the Verification Code
Success Page shown if a valid code is entered
Failure Page shown if an invalid code is entered
Q4. Advanced Multi-Factor Authentication
Once user accounts have been created, only valid users should be allowed to login and trade using Alice’s E-Commerce application. However, attackers can still compromise the login system by performing the password guessing attack. To prevent an attacker getting access to the application by simply knowing the password, you have decided to integrate the multi-factor authentication in Alice’s E-Commerce application
a) Apply Google’s 2-step verification (e.g.2FA, also called 2 Factor Authentication or 2FA) to user accounts of the E-Commerce application. You need to perform the followings:
i. Create a login form (as shown in Figure-4.1) that would allow you to enter Email and password. Next, provide steps with necessary code segment and screenshots how you have integrated Goggle’s 2FA in Alice’s E-Commerce application. Also, record the steps in a video and post it in the CANVAS or YouTube (as a private video) and provide the link. You should not share the link of the video any of your peer groups.
Login Form with Google’s 2 Factor Authentication
iii. Once a user enters correct email and password, a screen (like Figure-4.2 or 4.3) should prompt the user to enter 2-step verification code as follows:
Google’s Form to enter verification code in Google’s 2 Factor Authentication
Another Google’s Form to enter verification code in Google’s 2 Factor Authentication
b) Design an SMS-based two factor authentication (2FA) framework and show step-by-step process to implement it in Alice’s E-Commerce application. In your designed 2FA framework, the E-commerce website should send an SMS to the verified user’s mobile phone number each time a user provides valid username and password. The verification code should be a unique short-lived code. Figure-4.4 shows an overview of the system. Show steps with necessary code segment and screenshots. Also, record the steps in a video and post it in the CANVAS or YouTube (as a private video) and provide the link. You should not share the link of the video any of your peer groups.
Overview of SMS-based 2 Factor Authentication system
Are you looking to add authentication in our web or mobile application to make it more secure, or need a complete application with authentication then you can contact us here: contact@codersarts.com