[attachment=12140]
AN ENHANCED PROTECTION SYSTEM FOR ONLINE –SHOPPING TO AVOID CROSS SITE SCRIPTING(XSS) ATTACKS
ABSTRACT
Websites today are more complex than ever, containing a lot of dynamic content making the experience for the user more enjoyble.An online shopping system that permits a customer to browse products and submit online orders for product. The system accepts the feedback from the user about particular product. For doing all these things user must be register by giving their confidential details.
While doing online shopping customers may face many problems like personal details are hacked by some third parties. JavaScript can be used by the hackers for malicious purposes. Our online shopping site contains laptops, TV’s, iPod’s. Any user opens this site and can browse the products. User has the facility to know the details/description of the product and the price. If the user wants to purchase the product or post the comment about particular product he must be a registered user then there details are stored in the cookies.
Cross Site Scripting (XSS) is the most dangerous technique of hacking the websites. Steal Cookies which can then be used to impersonate customer and access to their data and privileges known as Session Hacking.The hacker can post some hyperlink or the java script code as a foreign data in the comment, and then there is chance to steal the details of the users who view the comments post by the them. By using those details the hacker can post fake emails to the user.
We present a few approaches to preventing cross-site scripting security attacks. Filter foreign data, means filters can check all the data that are posted by the user. Filter input parameters for special characters. Filter output based on input characters for special characters.
PROBLEMS IN EXISTING SYSTEM
While doing online shopping customers may face many problems like personal details are hacked by some third parties. The main problem with current scenario is that the hackers are tracking user’s activities by using some phishing techniques like cross site scripting(XSS). JavaScript can be used by the hackers for malicious purposes. By inserting this code into the users request page, hacker can Steal Cookies which can then be used to access users data and privileges known as Session Hacking. Recipient of the scam email are requested to click on an included hyperlink and this will redirect to the fake website asking for private information such as credit card, banking details and other account data. All these details will be collected and used by the fake users.
ADVANTAGES IN PROPOSED SYSTEM
In this application we providing some approaches for preventing the XSS attacks.
• Security will be provided for the online-shopper’s personal details.
• Filter all foreign data, means filtering is perform both on user input and also server response data.
• Filter input parameters for special characters.
• Filter output based on input characters for special characters.
• Filter all the data that user want to be posted as comments .
• If an input data have a JavaScript code then that data is not allow for storing on server.
• Remove JavaScript code from User Provided Markup
JUSTIFICATION ABOUT TECHNOLOGY:
In our application use two techniques XSS technique for stealing the session details and Filtering technique is for preventing that.
Cross Site Scripting(XSS)
Cross Site Scripting is (XSS) is one of the phishing technique. The attacker inserts cross-site script code is into the user's request page, and the code runs in the user's browser. There are two types of XSS attacks. One is persistent attack and other one is non-persistent attack. In persistent attack attacker can steal the current session at the time of loading the web pages.In Non-persistent attack hacker can steal the current session by clicking the hyperlink that provided by the hacker. In our shopping website user have a facility to browse products, post the comments on particular product and see the all comments posted by other users. when user want to see the description about particular product click on that product . In persistent attack, at the time of loading that page the current session will be hijacked. In Non-persistent attack hacker post a URL as a comment. If general user see that comment and click on that page link then the current session will steal by the hacker. From that hacker can get a current session id. By using that id attacker can know the personal details of the user.
Here we develop filtering technique to prevent malicious code from requesting parameters and cookies.
Filtering technique:
In this technique filter all foreign data. For that we follow some tips.
Escape parameters and User Input :- The safest step we can take is to escape all parameters to a page where the parameters are displayed in the content. The same applies for any user input that may be displayed or re-displayed in a web page rendered by a server. The downside is that your users can not provide markup.
Remove JavaScript code from User Provided Markup :- There may be cases where we want to allow a user to add markup in any part of application such as links or HTML content that is displayed for other users to see.. The solution would be to filter all markup before it is displayed in a page or before it is sent to a server or service. Remove JavaScript calls from element attribute including styles as they can be used to execute JavaScript. Also remove script blocks.
Filter User Input on the Server: - We should always filter user input that is stored or processed on a server because URLs and GET/POST requests can be created manually.
Avoid XSS Phishing Attacks: - Be aware of sites that contain vulnerabilities and phishing style attacks containing external script references.
JUSTIFICATION ABOUT PROGRAMMING LANGUAGE:
To implement “An Enhanced protection System for online shooping to avoid XSS attack” application I,m choosing java as a programming language .Because we give the security for a website. so, the programming language that are used for implementing the application is also be secure. Java is secured language and have portability.
Security- Whenever the user can access the data from the website, our application provide security to the user personal details. So for this reason we have to use java in our application.
Portability- Portability is another feature of java this feature is used my application can be accessed anywhere at any time and the user may feel comfortable.
JVM-JVM is the heart of entire java program process. It is responsible for taking the .class file and converting each Byte code instruction into the machine language instruction.
JUSTIFICATION ABOUT DATABASE SERVER:
In this application store the information about products and users.And also store the comments posted by the user.so, for storing this data need one database. Oracle 10g Database provides efficient, reliable, secure data management for high end applications such as high volume on-line transaction processing environment. As there is a relation between one table content to other, using Oracle 10g database we can store information of all our existing data and retrieve required information whenever they want as per the need .
JUSTIFICATION ABOUT WEB SERVER
This application need to insert,retrieve, delete the details from database. So I need one interface between application and data base. Apache Tomcat server is a web server and open source. Easily installed with free of cost. web server acts as an interface, it takes request from the client, process it and result will be effected( insertion, updation , deletion) in data base. In this application , I need an environment to execute the servlet programs for dynamic interaction
SYSTEM REQUIREMENTS SPECIFICATION
MODULES
• User Registration
• Product Catalogue
• Product review
• Payment
Module 1: User Registration
• Provide registration for users with necessary details.
• Provide login with username and password for all the users.
• If user forget password then ask for security question to regain it.
• User can update their password using change password.
• Generate functional alerts such as
Username already exists
Registered successful
Invalid username
• Generate quries such as
How to update the password or other details?
How to retrieve password in case forgotten?
• Generate reports such as
Day/Month/Year wise report on number of users registered.
Module 2: product catalogue
• Provide registration for brands.
• Provide registration for the laptop, iPods, TVs into the site according to their brands.
• provides the specification of a particular product.
• The user can search the products
- Based on their category
- Based on their brand.
• Registered and Non registered memebers can search for the products.
• Give detailed description about the each product.
• Checks for the product already registered or not.
• Generate alerts such as
Product successfully registered.
• Generate queries such as
List the Products registered in month
List the TVs/Laptops registered in a particular brand
• Generate report such as
Month wise report on number of TVs/laptops registered in the particular brand.