Implementation of a Shopping Cart Application

Implementation of a Shopping Cart Application

As shown in Figure 3-7, proper implementation of the shopping cart application requires integration of several different electronic business components. First, it is integrated with a session management component, which keeps track of a customer's shopping session. Second, it is integrated with the product catalog application, which generates a display of products sold by the storefront and allows the customer to browse the products; the customer can select a product from the catalog and place it in the shopping cart. Third, it is integrated with acts as an input to the payment gateway, which comes into play at the end of the shopping session. Fourth, it is integrated with back-end databases such as product inventory for automatically verifying and updating stock quantities, customer information for tracking customers' buying preferences, and so on.

Figure 3-7. Shopping cart implementation technology perspective

Since the early days of electronic retail shopping, many types of shopping carts have been introduced. Some shopping carts were made publicly available along with the source code, whereas some were sold as commercial third-party applications. Of the plethora of shopping carts, many failed because of improper implementation, which eventually led to security vulnerabilities.

Product Catalog

The product catalog typically consists of a product code, a product description, pricing, and other information. When a customer selects a product from the catalog, she places it in her shopping cart. Weak integration of the product catalog and the shopping cart leads to security vulnerabilities.

For example, if the customer can find a way to manipulate the price while selecting a product, a major error will occur. We look at such attacks in more detail in Chapter 10, where poorly implemented shopping carts allow customers to purchase products at reduced prices.

A well-implemented shopping cart application interfaces with the back-end product information database. Then parameters such as prices are derived from the database instead of relying on HTML form fields being passed back and forth. Quantity validation is an equally important issue. What happens if a customer enters a negative quantity into the shopping cart? What happens if the customer enters a fractional quantity?

Session Management

Another important aspect of shopping cart implementation is the session management mechanism. Each customer has to have a separate shopping cart while making purchases from the electronic store. Like regular storefronts, an electronic storefront probably caters to many customers at the same time. A poor session management mechanism may cause customers' shopping carts to get mixed up, which may lead to disastrous results, especially if one customer ends up paying for another customer's purchases. To manage customer shopping activities, a well-designed server-side session management system is essential. A poorly designed session management system can lead to session hijacking or information leakage.

Database Interfacing

The database interface between the shopping cart application and back-end databases is a focus for attacks. If it isn't implemented properly, an attacker can inject malicious SQL queries to the database and cause a security breach. An attacker may also modify intermediate tables that store other users' shopping sessions and selections.

Integration with the Payment Gateway

At the end of the shopping session, all selected items in the shopping cart and the corresponding bill are passed to the invoice generation and payment processing page of the electronic store application. Weak integration in this area can lead to the tampering of prices or entering of illegal quantities before the information is passed to the payment gateway.