Secure and Vulnerable E-Commerce Platform: Evaluation of Web and OS Security through Real-Time Attack Simulation

Abstract

E-commerce has revolutionized the digital economy by enabling seamless global transactions; however, it remains a prime target for cyberattacks at both the web and operating system (OS) levels. This paper presents a novel dual-mode academic platform, “Secure and Vulnerable E-Commerce Platform: Evaluation of Web and OS Security through Real-Time Attack Simulation,” designed for research, education, and practical cybersecurity training. The system operates in two configurations: Secure Mode, which enforces industry-grade defenses such as input validation, parameterized queries, CSRF protection, HTTPS enforcement, and OS hardening; and Vulnerable Mode, which intentionally exposes flaws like SQL Injection (SQLi), Cross-Site Scripting (XSS), and insecure configurations to simulate real-world attacks. A centralized, real-time logging dashboard continuously aggregates web and OS events, offering immediate visibility into intrusion attempts, anomalies, and defensive responses. By contrasting secure and vulnerable operations in a controlled environment, the platform bridges the gap between theoretical understanding and hands-on experience—enhancing learners’ expertise in threat detection, mitigation, and resilient system design.

Introduction

The rapid growth of e-commerce has transformed global trade but exposed platforms to increasing cyber threats targeting both web and operating system (OS) layers. Common web vulnerabilities include SQL Injection (SQLi), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF), while OS-level weaknesses like misconfigurations and privilege escalation amplify risk. Despite existing frameworks like OWASP Top 10 and CIS Benchmarks, many systems still suffer from poor input validation, weak authentication, and inconsistent patching.

To address these challenges, the study proposes a dual-mode e-commerce platform that operates in Secure Mode (hardened, best-practice configuration) and Vulnerable Mode (deliberately flawed) to enable hands-on experimentation and learning. Key features include real-time logging and visualization across web and OS layers, centralized monitoring dashboards, and role-based access to events, providing actionable insights for defense, analysis, and education.

The literature review highlights persistent gaps: lack of integrated web and OS-level defenses, insufficient real-time monitoring for combined layers, and absence of dual-mode environments for comparative learning. Previous educational tools like DVWA or WebGoat address only web-layer vulnerabilities without OS integration or unified logging.

The platform’s objectives are to:

• Bridge theoretical and practical cybersecurity learning.

• Facilitate dual-mode operation for direct comparison.

• Implement real-time logging and visualization for attack analysis.

• Support safe experimentation, secure coding education, and system-hardening practices.

• Ensure scalability and future adaptability.

Methodology involves six phases: requirement analysis, system design, implementation using Django and modern web technologies, controlled attack simulation, real-time logging, and evaluation via metrics like attack success rate, detection accuracy, and system performance.

Implementation and results show:

• Secure Mode successfully blocks attacks including SQLi, XSS, CSRF, privilege escalation, and unsafe file uploads, while Vulnerable Mode allows controlled exploitation.

• Real-time logging dashboards provide color-coded alerts and correlate web/OS events.

• System performance remains efficient (<300ms response delay, <20% CPU usage).

• The dual-mode framework enhances educational outcomes by visually demonstrating attack–defense dynamics.

Conclusion

The project “Secure and Vulnerable E-Commerce Platform: Evaluation of Web and OS Security through Real-Time Attack Simulation” successfully demonstrates a dual-mode educational system that connects cybersecurity theory with practical implementation. It integrates both Secure Mode and Vulnerable Mode within a single platform, allowing users to observe and compare how different security configurations behave under identical conditions. The Secure Mode applies strong protection techniques such as input validation, parameterized queries, CSRF protection, HTTPS enforcement, and OS-level hardening, while the Vulnerable Mode intentionally exposes flaws like SQL Injection and Cross-Site Scripting to simulate real attacks in a controlled environment. The system’s real-time logging and monitoring dashboard provides instant visibility of attacks and system responses, helping learners understand the impact of security controls. Experimental results showed that Secure Mode successfully blocked all attacks that compromised the Vulnerable Mode, proving the system’s effectiveness. Overall, this project offers an innovative and scalable platform that enhances practical cybersecurity learning, supports research in web and OS-level defense, and promotes secure software development practices for the modern digital landscape.

References

[1] A. D. Keromytis, “Web Application Security: Threats and Vulnerabilities,” IEEE Security & Privacy, vol. 21, no. 2, pp. 58–66, 2023. [2] O. Alhazmi, A. Malaiya, and Y. K. Malaiya, “Vulnerability Assessment of Web Applications,” IEEE Transactions on Software Engineering, vol. 48, no. 5, pp. 1421–1434, 2022. [3] J. Fonseca and M. Vieira, “An Educational Web Security Lab Using Vulnerable and Secure Modes,” Journal of Information Security and Applications, vol. 68, pp. 103–118, 2022. [4] Y. Chen, D. Zhao, and H. Xue, “Comparative Analysis of Secure Coding Practices in E-Commerce Applications,” ACM Computing Surveys, vol. 55, no. 3, pp. 1–19, 2023. [5] U. Kishnani and S. Das, “Dual-Technique Privacy & Security Analysis for E-Commerce Websites Through Automated and Manual Implementation,” International Journal of Cybersecurity Research, vol. 12, no. 4, pp. 211–226, 2024. [6] A. Houcheimi, R. A. Kabbara, and M. Farhat, “The Role of Secure Online Payments in Enabling E-Tailing in Lebanon,” International Journal of Information Systems and E-Business Management, vol. 17, no. 2, pp. 65–82, 2024. [7] K. R. Joshi and P. R. Sinha, “OS-Level Security Hardening for Web-Hosted Applications,” Journal of Network and Computer Security, vol. 29, no. 1, pp. 57–69, 2022. [8] Z. Mori?, T. Pavi?, and I. Krni?, “Protection of Personal Data in the Context of E-Commerce: A Case and Regulatory Framework,” Croatian Journal of Information Security and Law, vol. 15, no. 1, pp. 33–46, 2024. [9] R. Gupta and S. Chatterjee, “Real-Time Logging and Monitoring in Secure Web Applications,” International Journal of Advanced Computer Science and Applications (IJACSA), vol. 14, no. 3, pp. 112–123, 2023. [10] X. Li, Y. Peng, X. Sun, Y. Duan, Z. Fang, and T. Tang, “Unsupervised Detection of Fraudulent Transactions in E-Commerce Using Contrastive Learning,” IEEE Access, vol. 13, pp. 119341–119356, 2025. [11] S. Johnson, “Enhancing Security Automation in E-Commerce Platforms Using Machine Learning and Artificial Intelligence,” Journal of Intelligent Systems Security, vol. 10, no. 4, pp. 85–99, 2023. [12] Saltzer, J. H., and Schroeder, M. D., “The Protection of Information in Computer Systems,” Proceedings of the IEEE, vol. 63, no. 9, pp. 1278–1308, 1975. [13] OWASP Foundation, OWASP Top Ten Web Application Security Risks – 2021 Report, [Online]. Available: https://owasp.org/www-project-top-ten/ [14] PCI Security Standards Council, Payment Card Industry Data Security Standard (PCI DSS) Requirements and Security Assessment Procedures, Version 4.0, 2023.

Copyright

Copyright © 2025 Surendra S, Dr. R. Kanagvalli. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.