QUESTION $2$: ASSESSING SECURITY FLAWS IN PAYMENT SYSTEMS: A CASE

STUDY OF ONLINE TICKET BOOKING

I. Identify key security problems in the payment system of the Online Ticket Booking

website, like session management and transaction errors.

II$.$ Examine the impact of these vulnerabilities on business operations, such as financial

losses and damaged customer trust.

III. Suggest security improvements using the SSDLC model, including better session

handling and authentication processes.

Scenario: Recently, a customer encountered a technical issue while attempting to purchase

tickets on the Online Ticket Booking website. Despite receiving an error message during the

payment process, the customer was charged twice. This incident highlights potential

vulnerabilities in the payment processing and transaction systems of the web application. As

a security expert, you have been tasked to analyze the security aspects of the ticketing

system, identify potential causes of the error, and propose solutions to prevent similar issues

in the future.

Question $2$ Instructions

I. Website and Payment Gateway Security $(20$ marks$)$:

$$ Vulnerability Assessment: Identify potential vulnerabilities in the website's payment

gateway, such as SQL injection, cross$-$site scripting $($XSS$),$ or insecure direct object

references $($IDOR$).$

$$ Mitigation Strategies: Recommend security measures to protect against these

vulnerabilities, such as input validation, output encoding, and proper authorization

controls.

II$.$ Data Privacy and Protection:

$$ Personal Information Exposure: Assess whether the email's content reveals any

sensitive personal information that could be exploited.

$$ Data Breach Prevention: Suggest measures to prevent data breaches, including

encryption, access controls, and regular vulnerability assessments.

III. Error Handling and Logging:

$$ Error Message Handling: Evaluate the effectiveness of the error message displayed

on the website. Does it provide sufficient information without revealing sensitive

details?

$$ Logging and Monitoring: Recommend logging practices to capture relevant

information about the incident, such as transaction details, error messages, and user

actions