1. Make one online purchase. This can either be a real purchase if you need to buy
something, or one that is syntactically correct but ultimately rejected if you do
o Note that if you just type in 16 digits as your card number, it is unlikely to
be syntactically correct: many sites do give correct card numbers for this
purpose, e.g. https://www.freeformatter.com/credit-card-number-
generator-validator.html or https://ccardgenerator.com/.
2. You can use a payment card or PayPal accounts or ApplePay etc. It may be
worth using your group discussion forum to see who is doing what, so that you
can get a diverse mix of payment types.
3. When you make the purchase, collect the following data:
o the web page (i.e. the actual HTML) you were entering the purchase data
(Primary Account Number, CVV etc.) into (note that you may wish to save
the web page before entering the data)
o a screen shot of the page
o the network trace (HAR file) of the entire transaction, starting before you
visited the merchant’s page. There’s a FNU (Feature of Negative Utility) in
Chrome (at least v84): if you are working in one tab, with logging on, and
get switched to a different tab, the different tab doesn’t automatically get
logged (whereas an iframe in the same tab should get logged). Beware
that this might mean you don’t log the critical part.
o if you can also collect a system-level network trace (Wireshark or
equivalent) that would also be good. However, do not SUBMIT this, just
use relevant extracts in your report.
4. This evidence should be submitted (in one Zip file) as part of the
submission. However, if you used real data in the HAR file, you should
anonymise it before submission: replace digits in the PAN and/or CVV by N, so
a CVV would look like NNN; replace letters etc in names by X, and in addresses
by A, so that person XXXXXXXX would have an address of AAAAAAA.
1. Write a report based on your ‘purchase’. This should include the following:
o with which websites does your browser communicate during the
transaction? Are there any that worry you, or whose function you do not
o looking at the logs, to which sites does your payment card number get
sent, and how is it protected in transit? You should quote the relevant
part of the logs, but should replace the card number and any other
identifying/sensitive data, e.g. by NNNN NNNN NNNN NNNN, before
you know what it is doing with your data?
o how dependent is the HTML you have on the correct functioning of the
DNS? In particular, could bad DNS results result in a security problem?
o what makes you think that the sum of money displayed to you is the sum
that will be transmitted to your bank?
本网站支持淘宝 支付宝 微信支付 paypal等等交易。如果不放心可以用淘宝交易！
E-mail: email@example.com 微信:itcsdx