Thanks everyone - please review http://ttasp.open.ac.uk/~jc22454/ecatest/ab_home.asp

Well I finally managed the coding section of the asp module of my Uni degree (thats a lot of 'of's'!)

So here is a link to the result:

End of Course assignment

Some of the links will take you to a generic 'Under construction' page,

these are:
About Us
Contact Us
Transaction History
Our Services

This is because in the scope of the assignment, They are not required and so have been left under construction.

Certain links are also only available if you are logged in (the catalogue for example)

The idea of this is to create a customer login with a catalogue and shopping cart, using text files as a data source (basically using Text Stream and File System Object) without using databases, with the ability to check for duplicate registration credentials, incorrect login details etc, everything you would expect rm a simple shopping cart, which is what I have done...

I would be grateful if anybody on the board would try the site out, look for dead links, functions that do not work etc as I have to hand this in with my report and I do not want a rubbish grade!

Thanks in advance for any help given

Jimmy

PS, if you register, I would recommend using fake addresses as I have not yet secured the text files correctly yet and at the moment anyone can read them, this is just so I can de-bug at the moment and as soon as I believe it is complete I will secure them so no one can read them.

(don't worry, when it comes to paying insert any 16 digit number as a credit card and it will pass, this is just a sample site after all!)

It's too English It didn't accept my American format phone number. And 57 bucks for a frying pan is a bit steep

Other than that everything seemed to do what it was supposed to do.

--moved to Site Reviews forum, that's the proper place to ask members
here to review your website.

feel free to post special thanks in the Lounge.

1) It's vulnerable to XSS (Cross-Site Scripting) Attacks.
View XSS Attack in Firefox

2) You pass the item price in the URL, so anyone can change the price of an item when it is added to their shopping cart.

3) You have not disabled "autocomplete" on the login form, so this could allow user's credentials to be stolen.

4) Server header shows the app is running on an "Apache/2.0.46 (Red Hat)" server, which has known security vulnerabilities.

5) Standard SQL injection attack (' or 1=1--) placed in the "Customer Login" page, changes the "Login" menu to "Logout", it also ends up displaying the "Customer Services" and "Transaction History" menu items. It appears vulnerable to blind SQL injection.

6) The server responds with a "200 OK" response after log in. Which means user's credentials are stored in the browsers cache.

7) After registration you display the user's login credentials on the screen in clear text.

8) You don't perform proper input validation anywhere.

9) Your shopping cart allows for negative quantities (-1).

10) You store customer info in a cookie in clear text.


11) Account harvesting is possible via the registration page.

This was all discovered within about 10 minutes of looking at the site.

For more information on how to mitigate these issues, read the articles listed under the "Code Security" section at the link below.

Code Security Articles