See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/337415279

SECURE ONLINE AUCTION SYSTEM

Article · January 2018

CITATIONS READS
0 2,236

1 author:

Adarsh Agarwal
VIT University
5 PUBLICATIONS   0 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Online Auction System View project

Topology Optimization of Spur Gears View project

All content following this page was uploaded by Adarsh Agarwal on 16 January 2021.

The user has requested enhancement of the downloaded file.

 VIT University
Fall Semester 2018-19
BCI3001 – Web Security
Review #3
Name: Adarsh Agarwal
Reg. No. 16bme0086

“SECURE ONLINE AUCTION SYSTEM”

ABSTRACT

Online auction is a business model where the items are sold through price bidding.
Bidding have the start price and ending time. Potential buyers in the auction and
the winner is the one who bids the item for highest price within the stipulated time.
For buying product online user must provide his personal details like email address,
contact number and Aadhaar card scanned-copy. Now, there comes the role of
security. The email address will be verified via link having a certain expiry time. And,
the contact number too is validated using an OTP. Only an authenticated user will
have the authority to bid. This prevents various frauds accordingly in online auction
gaining trust of the clients. Basically, It is a “SECURE ONLINE AUCTION SYSTEM”.
The whole projected is divided into modules which will be worked upon separately
for a final integration to get the desired online auction service.
 INTRODUCTION
The website is a final product that performs some activities. It is meant to serve
some purpose. The purpose is usually defined by the demand or necessity in the
market. The market comprises end-users that will be using the product, sellers and
buyers in our case. As developers, our job is not only to create websites that serves
the purpose but also be it easier to use and cater to many people. We cannot
assume a user is well versed with web surfing. Thus, we need to provide an
aesthetic and self -explanatory user interfaces. There are several online auction
sites like ebay, listia but the security protocols have not been taken care. So, the
major concern for the trust by a user is proper validation and verification of a
genuine product.

METHODOLOGY

• It depict the control flow of the web application and the class diagram
highlights the entities and privileges offered.
 IMPLEMENTATION
• The programming languages used are HTML5, CSS3, JavaScript as far as the
front-end part is concerned.
• And, NodeJS, Cloud9, Express, for the back-end development.
• “Adobe DreamWeaver CC 2018” is the core software upon which the
initialization takes place.
• “Mozilla Developer Network” is a great source so “Firefox” is the preferred
browser for best response by the system.
• It comprises the logo and name of the Online Auction site in India.
• The ‘navbar’ provides a user interface design following the ‘jumbotron’
inside a ‘container’ which were the glimpses of Bootstrap.
• The wide variety of products range from automobiles to electronics.
• “Sign Up” and “Login” functionality opens up the pages to store the details
of user with a great interactive environment.
• The page goes back to form if any error occurs during execution.
SAMPLE CODE -

product schema (in models directory):

var mongoose = require("mongoose");

//SCHEMA SETUP
var productSchema = new mongoose.Schema({
name:String,
image:String,
description: String,
author:{
id:{
type:mongoose.Schema.Types.ObjectId,
ref:"User"
},
username:String
},
comments: [{
type:mongoose.Schema.Types.ObjectId,
ref:"Comment"
}]
});

module.exports = mongoose.model("product",productSchema);

app.js file:
var express = require("express"),
app = express(),
bodyParser = require("body-parser"),
mongoose = require("mongoose"),
passport = require("passport"),
LocalStrategy = require("passport-local"),
User = require("./models/user"),
 seedDB = require("./seeds");

//importing routes
var productRoutes = require("./routes/products"),
commentRoutes = require("./routes/comments"),
indexRoutes = require("./routes/index");

mongoose.connect("mongodb://localhost/bid_vibes");
app.use(bodyParser.urlencoded({extended:true}));
app.set("view engine","ejs");
app.use(express.static(__dirname+"/public"));
// seedDB(); // seed the database

//PASSPORT CONFIGURATION
app.use(require("express-session")({
secret:"I love myself more!!",
resave:false,
saveUninitialized: false
}));
app.use(passport.initialize());
app.use(passport.session());
passport.use(new LocalStrategy(User.authenticate()));
passport.serializeUser(User.serializeUser());
passport.deserializeUser(User.deserializeUser());

app.use(function(req,res,next){
res.locals.currentUser = req.user;
 next();
});

app.use("/",indexRoutes);
app.use("/products",productRoutes);
app.use("/products/:id/comments",commentRoutes);

app.listen(process.env.PORT,process.env.IP,function(){
console.log("The BidVibes Server has started!!");
});

products.js file:

var express = require("express"),

router = express.Router(),
product = require("../models/product");

//INDEX - show all products

router.get("/",(req,res)=>{
//get all products from database (db)
product.find({},function(err,allproducts){
if(err){
console.log(err);
}else{
res.render("products/index",{products:allproducts});
}
});
});

//NEW - show form to create new product

router.get("/new",isLoggedIn,function(req,res){
res.render("products/new");
});

//CREATE - Add new product to the DB

router.post("/",isLoggedIn,function(req,res){
//get data from product form
var name=req.body.name;
var image=req.body.image;
var desc=req.body.description;
var author = {
id:req.user._id,
username:req.user.username
};
//Create a new product and save to database
var
newproduct={name:name,image:image,description:desc,author:author};
product.create(newproduct,function(err,newlyCreated){
if(err){
console.log(err);
}else{
console.log(newlyCreated);
//redirect to products get request
res.redirect("/products");
 }
});
});

//SHOW - shows more info about one product

router.get("/:id",(req,res)=>{
//Find the product with the given ID
product.findById(req.params.id).populate("comments").exec(function(err,
foundproduct){
if(err){
console.log(err);
}else{
//render the show template for that product
res.render("products/show",{product:foundproduct});
}
});
});

//middleware
function isLoggedIn(req,res,next){
if(req.isAuthenticated()){
return next();
}
res.redirect("/login");
}

module.exports = router;
products.ejs file (index page) -

<% include ../partials/header %>

<div class="container">
<header class="jumbotron">
<div class="container">
<h1>Welcome to Online Auctions - </h1>
<p>View our hand-picked products from all over the world</p>
<p>
<a class="btn btn-primary btn-lg"
href="/products/new">Add New product</a>
</p>
</div>
</header>

<div class="row text-center" style="display:flex; flex-wrap:wrap">

<% products.forEach(function(product){ %>
<div class="col-lg-3 col-md-4 col-sm-6">
<div class="thumbnail">
<img src="<%= product.image %>" alt="Image">
<div class="caption">
<h3><%= product.name %></h3>
</div>
<p>
<a href="/products/<%= product._id %>" class="btn btn-primary">More Info</a>
</p>
 </div>
</div>
<% }) %>
</div>
</div>
<% include ../partials/footer %>

SNAPSHOTS -
HOME PAGE
 THE PRODUCT VIEW

ADDING NEW PRODUCT

 VULNERABILITY ANALYSIS
• A session-id is issued to the user which expires in given time using “express-
session” library from node modules on Cloud 9.
• All the users’ entered data are considered malicious so every line passes
throungh “express-sanitizer” to treat all script tags as string.
• The functionality on ‘navbar’ provide the basic options like sign up, login for
new users and logout for the existing logged-in users.
• A user can add a new product if she is logged in.
• The inputs are taken by the registration form and the users already having
an account are asked to go for the login option.
• The creative and innovative project design attracts new users.
• A user can add a comment if she is logged in.
• Passport JS, local Strategy of Mongoose is used to provide a safe verification
of data stored in the mongoDB with the entered credentials.

PREVENTIVE MEASURES
• A firm back-end is developed for no important information is to be leaked.
• The unique usernames provide a platform where an attacker cannot
interpret random system generated user ids like CUST111, CUST112 . . .
• The information by the newly registered user is under validation by
administrator which reduces spamming.
• The minimum length of password enhances the protection of a genuine
customer by restricting weak passwords.
• Passport JS is used to authenticate the user’s identity.
• Furthur, authorization is also done to ensure the safety from an attacker.
• There will be more options available for finding the required product
efficiently like sorting and searching.
• The invoice will be generated for the payment gateway is to be a third-party
software.
 CONCLUSION
• The decrease in trust on online auction sites is basically due to the
vulnerabilities found on the functions.
• The time has come to take the customer’s credentials not for granted as
technology proceed towards software.
• A great UI/ UX design attracts user and a secured website keeps them on a
long run to keep utilising our framework.
• So, this project hopes to clear all such doubts as per the users perception and
provide best design available till date.
• A help manual will be available for registered as well as unregistered users
to clarify the purpose of the web service. It will be more of a terms and
conditions but in a concise form.
• A set of around five themes for flexibility to users as some of them might be
color blind and such other issues are taken under consideration.
• So, the list of features to be offered are kept in mind as per the problem
statement. The feedbacks given by the customers may help us identify the
bugs and take the action accordingly.

REFERENCES

• https://www.udemy.com/the-web-developer-bootcamp/learn/v4/
• https://www.lifewire.com/online-auction-website-3482641
• B. Rumpe, G. Wimmel, "A framework for realtime online auctions",
Proceedings of Information Resources Management Association (IRMA)
International Conference, pp. 208912, 2001.
• Best Auction software, [online] Available:
http://www.capterra.com/auction-software/.
• http://ieeexplore.ieee.org/document/7588860/

View publication stats