TRAP@NCI

Invoice System

Harris, Stephen Luke (2017) Invoice System. Undergraduate thesis, Dublin, National College of Ireland.

[img]
Preview
PDF (Bachelor of Science)
Download (2MB) | Preview

Abstract

The project initially started following an internship in Thriftify where I worked on both the server and the client side of the website. While working there, I discovered XSS and some SQL injection that could affect the websites confidentiality and some elements of integrity on the sections I made myself. This is when I started implementing server side validation to the project without any prior knowledge of security methods that could be taken.

After specialising in security in my final year of college, I have learned more techniques that further protect the user. The problem with a lot of websites today is they do not contain security elements that protect against some of the most common hacks outlined in OWASP Top 10 Web Application risks 2013-2017. SQL Injection is still a major issue with some web pages that have less funding to set up security measures. An example of this still available is a bus company’s website that offers lifts to the airport staff at hours that Dublin Bus do not operate. If you navigate to the ‘Find my bus’ section on the website and enter any character that my return an error in SQL, the website informs the user of an SQL error. I didn't test any further because I do not want to be responsible for a website hacking, but it shows two examples of OWASP top 10 that the company do not protect against on a regularly used website, Error handling and SQL injection. This is only one example of what malicious activity can happen online. some of the biggest multinational companies have been claimed a victim to Information exposure, Microsoft’s Xbox accounts have been hacked in the past which even my own account data has been leaked, Paddy Power, Drop Box… the list goes on. If some of the security features present on my application were present on these huge systems, the account information would not have been leaked.

On the other side of things security can slow the website down and the website needs to be available to users and accessed in a quick and timely fashion. Too much security can lead to slow response times in order to protect the Confidentiality of the user's information. For an example of this, AES encryption can take roughly 2-3 seconds to Encrypt/Decrypt any given value. If we decided that all information located on our server is highly sensitive, we could use our encryption technique to encrypt all of the information. Although this can seem like a good idea to any inexperienced user, this would essentially stack the Encryption/Decryption times to 15-30 seconds. When making an application to be used in the general public, this is not acceptable. The general standard for wait times is 1 second for navigating a website between pages. So for this project I aim to meet this while still using the AES technique. Of course in areas such as logging in, the user will experience a longer delay of about 2-3 seconds due to the encryption.

Item Type: Thesis (Undergraduate)
Subjects: Q Science > QA Mathematics > Electronic computers. Computer science
T Technology > T Technology (General) > Information Technology > Electronic computers. Computer science

Q Science > QA Mathematics > Computer software
T Technology > T Technology (General) > Information Technology > Computer software
Divisions: School of Computing > Bachelor of Science (Honours) in Computing
Depositing User: CAOIMHE NI MHAICIN
Date Deposited: 02 Nov 2017 15:56
Last Modified: 02 Nov 2017 15:56
URI: http://trap.ncirl.ie/id/eprint/2735

Actions (login required)

View Item View Item