This is Group H's final assignment for the module ELEC0138: Security and Privacy 23/24.
In this project, a ticket sales website is created. The website is designed to sell tickets for various events.
The website has two versions:
- The unsafe version has vulnerabilities that can be exploited by attackers,
- while the safe version is designed to be secure and protect the user's data.
The website has various features, including ticket sales, shopping cart, and user reviews.
The website is built using Flask for the backend and Vue.js for the frontend.
The website uses SQLite as the database.
- Qiyuan Liu
23075647 - Yiwen Yang
23143115 - Zhaoyan Lu
23049710 - Zirui Wang
23039407
| Attack Type | Description |
|---|---|
| Phishing | Examine vulnerabilities that could be exploited by phishing attacks to educate and build awareness. |
| Brute-force | Simulate brute-force attacks to test the strength of password policies and authentication methods. |
| CSRF (Cross-Site Request Forgery) | Demonstrate how CSRF attacks can manipulate users into performing actions without their knowledge. |
| SQL Injection | Assess the robustness of database systems against unauthorized data manipulation or access. |
| Credential Stuffing | Highlight the risks of reused credentials and the importance of unique password policies. |
| DoS (Denial of Service) | Showcase methods attackers use to disrupt service availability. |
| XSS (Cross-Site Scripting) | Explore how malicious scripts can be injected into web pages and compromise user interactions. |
| Attack Type | Description |
|---|---|
| Phishing | Examine vulnerabilities that could be exploited by phishing attacks to educate and build awareness. |
| Brute-force | Simulate brute-force attacks to test the strength of password policies and authentication methods. |
| CSRF (Cross-Site Request Forgery) | Demonstrate how CSRF attacks can manipulate users into performing actions without their knowledge. |
| SQL Injection | Assess the robustness of database systems against unauthorized data manipulation or access. |
| Credential Stuffing | Highlight the risks of reused credentials and the importance of unique password policies. |
| DoS (Denial of Service) | Showcase methods attackers use to disrupt service availability. |
| XSS (Cross-Site Scripting) | Explore how malicious scripts can be injected into web pages and compromise user interactions. |
- Node.js 20.11.1
- Anaconda / Miniconda for python 3.8
We offer two versions of our ticket sales website.
One is the unsafe mode which may have some security risks and vulnerabilities, and the other is a safe mode that incorporates numerous mechanisms to safeguard the system.
You can change the website's mode using different options.
We are using Flask to create our backend server.
Open a new terminal and run:
$ make create-env
# or
$ conda env create -f environment.ymlActivate your conda environment:
$ conda activate securityTo run the website:
$ cd v1/backend
# Safe mode (default)
$ python app.py
# Unsafe mode
$ MODE=unsafe python app.pyThe backend server's URL is http://127.0.0.1:5000.
We are using Vue.js to create our frontend website.
Open a new terminal and run:
$ cd v1/frontend
# Install all dependencies needed
$ npm install
# Choose your website mode
# Safe mode (default)
$ cat v1/frontend/.env.development
...
VITE_APP_MODE=safe
# Unsafe mode
$ cat v1/frontend/.env.development
...
VITE_APP_MODE=unsafe
# Launch your website
$ npm run devAnd then you can visit our ticket selling website through http://localhost:5173.
We are using sqlite as our database.
By default::
username: elec0138password: 8964