Group H: Security System for Online Ticket Sales Website

This is Group H's final assignment for the module ELEC0138: Security and Privacy 23/24.

In this project, a ticket sales website is created. The website is designed to sell tickets for various events.

The website has two versions:

• The unsafe version has vulnerabilities that can be exploited by attackers,
• while the safe version is designed to be secure and protect the user's data.

The website has various features, including ticket sales, shopping cart, and user reviews. The website is built using Flask for the backend and Vue.js for the frontend. The website uses SQLite as the database.

Group Member

• Qiyuan Liu 23075647
• Yiwen Yang 23143115
• Zhaoyan Lu 23049710
• Zirui Wang 23039407

Contents

• ELEC0138_GROUP_H
  • Group Members
  • Contents
  • Features
    • Attacks
    • Mitigations
  • Prerequisites
  • Environment Setup
    • Backend
    • Frontend
    • Database
    • Debugging

Features

Attacks

Attack Type	Description
Phishing	Examine vulnerabilities that could be exploited by phishing attacks to educate and build awareness.
Brute-force	Simulate brute-force attacks to test the strength of password policies and authentication methods.
CSRF (Cross-Site Request Forgery)	Demonstrate how CSRF attacks can manipulate users into performing actions without their knowledge.
SQL Injection	Assess the robustness of database systems against unauthorized data manipulation or access.
Credential Stuffing	Highlight the risks of reused credentials and the importance of unique password policies.
DoS (Denial of Service)	Showcase methods attackers use to disrupt service availability.
XSS (Cross-Site Scripting)	Explore how malicious scripts can be injected into web pages and compromise user interactions.

Mitigations

Attack Type	Description
Phishing	Examine vulnerabilities that could be exploited by phishing attacks to educate and build awareness.
Brute-force	Simulate brute-force attacks to test the strength of password policies and authentication methods.
CSRF (Cross-Site Request Forgery)	Demonstrate how CSRF attacks can manipulate users into performing actions without their knowledge.
SQL Injection	Assess the robustness of database systems against unauthorized data manipulation or access.
Credential Stuffing	Highlight the risks of reused credentials and the importance of unique password policies.
DoS (Denial of Service)	Showcase methods attackers use to disrupt service availability.
XSS (Cross-Site Scripting)	Explore how malicious scripts can be injected into web pages and compromise user interactions.

Prerequisites

• Node.js 20.11.1
• Anaconda / Miniconda for python 3.8

Environment Setup

We offer two versions of our ticket sales website.

One is the unsafe mode which may have some security risks and vulnerabilities, and the other is a safe mode that incorporates numerous mechanisms to safeguard the system.

You can change the website's mode using different options.

Backend

We are using Flask to create our backend server.

Open a new terminal and run:

$ make create-env
# or
$ conda env create -f environment.yml

Activate your conda environment:

$ conda activate security

To run the website:

$ cd v1/backend
# Safe mode (default)
$ python app.py
# Unsafe mode
$ MODE=unsafe python app.py

The backend server's URL is http://127.0.0.1:5000.

Frontend

We are using Vue.js to create our frontend website.

Open a new terminal and run:

$ cd v1/frontend

# Install all dependencies needed
$ npm install

# Choose your website mode
# Safe mode (default)
$ cat v1/frontend/.env.development
...
VITE_APP_MODE=safe
# Unsafe mode
$ cat v1/frontend/.env.development
...
VITE_APP_MODE=unsafe

# Launch your website
$ npm run dev

And then you can visit our ticket selling website through http://localhost:5173.

Database

We are using sqlite as our database.

By default::

• username: elec0138
• password: 8964

Debugging

• Debugging guide