This is a very high-level overview of building and deploying a MERN stack e-commerce application on AWS with scalability. I just finished the project recently on Fiverr.

Overview:

As a freelance developer, I was tasked with building and deploying a scalable MERN stack e-commerce application on AWS. The goal was to create an e-commerce application that could handle a high volume of traffic while being reliable, secure, and scalable. To achieve this, I used several AWS services such as Amazon DocumentDB, AWS Amplify, AWS Lambda, Amazon API Gateway, AWS S3, and CloudFront.

Challenges:

The project presented a few challenges, such as ensuring the security and reliability of the application, integrating a payment gateway for processing transactions, coordinating with other developers working on the project, and efficiently deploying the application on AWS.

Solutions:

To address the security and reliability concerns of the application, I utilized Amazon DocumentDB as the backend database. This allowed me to leverage the scalability and reliability of AWS's database services, ensuring that the application could handle high volumes of traffic without compromising performance. Additionally, I implemented security measures such as encryption of data at rest and in transit.

For the frontend development, I used AWS Amplify to develop and deploy the React application. AWS Amplify provides a comprehensive suite of tools for building and deploying scalable and reliable applications, including authentication, data storage, and API integration. I also integrated a payment gateway to process transactions securely.

For the backend architecture, I used AWS Lambda and Amazon API Gateway. This allowed me to create a flexible and robust backend that could manage the API endpoints efficiently, ensuring that the backend was responsive and could handle high volumes of traffic. To prevent security breaches, I implemented measures such as rate limiting and input validation.

To store user-generated content, such as product images and descriptions, I used AWS S3 as the storage service. This allowed me to store and retrieve data quickly and reliably, ensuring that the application could handle large amounts of data without compromising performance.

Finally, to optimize the application's performance, I used CloudFront as the CDN. CloudFront helped me to improve the application's performance by caching content closer to the users, reducing the latency, and improving the application's responsiveness.

Results:

The project was a success, and the e-commerce application was deployed on AWS with high reliability and scalability. Using AWS services such as Amazon DocumentDB, AWS Amplify, AWS Lambda, Amazon API Gateway, AWS S3, and CloudFront allowed me to build a flexible and robust e-commerce application that could handle high volumes of traffic without compromising performance. The collaboration with other developers working on the project was seamless, and the application was delivered on time and within budget. The integration of the payment gateway enabled secure transactions for customers, increasing trust and improving the user experience.

Conclusion:

Building and deploying a scalable MERN stack e-commerce application on AWS requires expertise and knowledge of AWS services. By utilizing AWS Amplify, Amazon DocumentDB, AWS Lambda, Amazon API Gateway, AWS S3, and CloudFront, I was able to create a reliable, scalable, and performant e-commerce application that met the client's requirements. My expertise in AWS services and MERN stack development enabled me to contribute to the success of the project.

First, understand the scenario. Let’s assume we have a social media application where a user can follow multiple users and vice versa. So the initial MongoDB schema should look like this.

Initial schema

Here we should pay attention to 2 fields followers and followings. At the start of our application, we won’t have too much traffic as well as users. Let’s say we started with 10-20 k users. So at this scale, if a user follows another user it will store all data in that array of the schema. So documents stored in followers or followings array will have an average of 3 digits. In the worst-case scenario, it can go up to 4 digits. MongoDB can handle this much data for the time being. But the operation Can still be slow a little bit. This can be optimized. In this case, you can query for the followers in the following way.

Get all followers for a user

But when the application grows in the number of users it can be hundreds of thousands of users even it can be millions of users. Then this initial user schema won’t work as expected on the other hand a single document in MongoDB can be max 16 MB. if a user can manage to get hundreds of thousands of followers the database will fail.

So to overcome this problem we can split the schema into two schemas. One is the User schema and another is Follow schema. These schemas should look like this.

Optimized schema

Now, this schema is more optimized and scalable than the previous one. In this model, a user can follow or can have millions of followers without any issue which was previously impossible. Now in this case you can’t use the previously used query to fetch all followers of a user. Now to get all followers of a user you need a query something like this.

Don’t be confused about why I am filtering with the following field to get followers. just take a closer look on follow schema and give it a think you will understand easily.

That is all for today. Hope you find it useful. If you do please give it a clap and share it with your friends. If you like this kind of write-up consider following me. If you have any doubts you can always reach out to me.

Thank you for sticking this much.

• Dhaka College

• Eden Mohila College

• Begum Badrunnesa Gov. College

• Government Titumir College

• Government Bangla College

• Kabi Nazrul Government College

• Govt. Shaheed Suhrawardy College, Dhaka

These are the 7 colleges under Dhaka University. There are about 243,000+ students are studying here currently. All of their official operations are operated by an online web portal. One of the main operations is “Yearly Form Fill Up”. During this period a huge amount of money transaction is done here. So only in this form fill up period an attacker can do huge damage of approx 729,000,000 TAKA, in dollars which is about 8,604,693 USD. Also, there was a reflected XSS vulnerability but that can not be marked as critical. Now let’s see how I exploited the service.

So according to our college notice, I was given a link to the web portal for form fill up. I logged into the portal with my id given by my college. While submitting the form the URL caught my eye. So I was a little bit curious about the endpoint. So I started trying playing with the URL. At a point, I found SQLi in that particular endpoint.

https://web-portal-domain.com/students/form_preview.php?s_year_code=1&session_id=20&exam_id=17

https://web-portal-domain.com/students/form_preview.php?s_year_code=1&session_id=20&exam_id=-17' union select 1,2,3,group_concat(username,0x3a,password),5,6 from admin — -

So I tried playing around with SQLi. Then I was able to extract data from the database. I found the Server Admin panel credentials, college admin panel credentials, and login credentials for all 243000+ students and their personal info like Full Name, Contact Number, Address, Fathers's Name, Mothers's Name, and many more. From the college admin panel, I was able to bypass any student transaction. On the other hand from the server admin panel, I was able to add, modify, remove any student. Let’s move on...

After accessing the database I was curious about if I could get access to the server. So I tried some SQL functions if it could get me access to RCE on the server. First I tried to read arbitrary files using the load_file() function.

https://web-portal-domain.com/students/form_preview.php?s_year_code=1&session_id=20&exam_id=-17' union select 1,2,3,load_file(‘/etc/passwd’),5,6 — -

The SQL query was executed successfully. It allowed me to read all the files which were permitted by the webserver. Through this Arbitrary File Read, I was able to read all the source codes of the website. Then I tried to find out a way of writing files to the server to get RCE. So I tried INTO OUTFILE method to write files.

https://web-portal-domain.com/students/form_preview.php?s_year_code=1&session_id=20&exam_id=-17' union select 1,2,3,“”,5,6 INTO OUTFILE ‘/var/www/html/images/shell.php’ — -

But unfortunately, it was not permitted to write on that webserver directory. That’s why I was unable to get an RCE on the server.

But in the end, it was a huge vulnerability and could drive into a huge data loss. After reporting the threat they resolved it.

That's all for now. Thanks for your time.