,

Page 1 of 10
School of Science
INTE1070/1071 Secure Electronic Commerce
Assignment 1

Assessment Type: Individual assignment; no group work. Submit online via Canvas→Assignments→Assignment 1.
Marks awarded for meeting requirements as closely as possible. Clarifications/updates may be made via
announcements/relevant discussion forums.

Due date: Week 4, Friday the 14th Aug 2020 11:59pm
Deadlines will not be advanced, but they may be extended. Please check Canvas→Syllabus or via
Canvas→Assignments→Assignment 1 for the most up to date information.
As this is a major assignment in which you demonstrate your understanding, a university standard late penalty of 10% per each
working day applies for up to 5 working days late, unless special consideration has been granted.

Weighting: 30 marks (Contributes 30% of the total Grade)

1. Overview
The objective of Assignment 1 is evaluating your knowledge on the topics covered in Lecture 1-4. Topics include an
overview of the E-Commerce system, common security attacks on E-Commerce websites, protecting E-commerce
sites using well-known approaches, and some fundamentals of crypto protocols that are used for securing electronic
commerce. Assignment 1 will focus on developing your abilities in identifying security flaws in an e-commerce website
and securing the e-commerce application using some of the well-known approaches. Assignment 1 contains several
problems related to the topics mentioned above. You are required to prepare the solutions with the description of
the step-by-step processes as a single PDF or MS Word file and necessary codes.
There are 4 (four) questions in Assignment-1. Q1 is related to different security attacks that can be performed on an
e-commerce website. On the other hand, Q2 to Q4 are related to some of the popular protection methods that are
used in e-commerce applications. Protection methods include Google’s ReCaptcha V2 and V3, email and SMS based
multifactor authentication, and Google’s two factor authentication (2FA) framework.
Develop the solution of this assignment in an iterative fashion (as opposed to completing it in one sitting). You should
be able to start preparing your answers immediately after the Lecture-1 (in Week-1). At the end of each week starting
from Week-1 to Week-4, you should be able to solve at least one question.
If there are questions, you must ask via the relevant Canvas discussion forums in a general manner.
Submission instructions are detailed in Section 2.
2. Submission Instructions
Overall, you must follow the following special instructions:
• You must fulfil the requirements in the questions.
• For the questions that require implementation, you must implement the functionalities stated in the
questions. Any change in a user interface is acceptable if the functionality is there.
• In your solution, you must show all of the steps with necessary code segments and screenshots for each
question.
• Please note that you are required to record the steps in a video and post it in the CANVAS or YouTube
whenever asked. Provide the link in your solution.
• Upload your solution as a single PDF or Word document in CANVAS. Also, upload codes as a single ZIP file in
the CANVAS.
,

Page 2 of 10
• Do not put the PDF withing the ZIP file.

3. Assessment Criteria
This assessment will determine your ability to:
• Follow requirements provided in this document and in the lessons.
• Independently solve a problem by using cryptography and cryptanalysis concepts taught over the first four
weeks of the course.
• Meeting deadlines.
4. Learning Outcomes
This assessment is relevant to the following Learning Outcomes:
• CLO 1: Explain the range of threats to e-commerce security.
• CLO 2: Explain how cryptography can be, and is, used to achieve security.
• CLO 3: Describe the different standards in use for secure electronic commerce, such as certificates, MACs,
etc.
• CLO 6: Describe the different protocols in use for secure electronic commerce, such as SSL / TLS.
5. Assessment details
Please ensure that you have read Section 1 to 3 of this document before going further. Assessment details (i.e.
question Q1 to Q4) are provided in the next page.

,

Page 3 of 10
Q1. Security Attacks on E-Commerce Websites (9 Marks)
Alice owns a computer store in Melbourne city. In order to increase the sales, she has developed an E-Commerce
application for her computer store. Some of the well-known attacks on E-commerce websites are as follows:
• Cross-Site Scripting (XSS)
• SQL injections
• Hidden field manipulation
• Fishing Attack
• Cookie poisoning
• Web scraping
• Layer 7 DoS attacks
• Parameter tampering
• Buffer overflow
• Backdoor or Debug options
• Stealth commanding
• Forced browsing
• Third-party misconfigurations

Alice realizes that the E-Commerce application must be secured before it becomes online. From that realization, she hires
you and your team as a security consultant to identify the security risks of her developed E-Commerce application.

Create an E-commerce website (with a database as back-end and other necessary tools such as HTML, PHP, Javascript,
CSS files etc.) for yourself to demonstrate the chosen attacks. However, for the sake of convenience, a sample code of
Alice’s E-Commerce application (includes HTML, PHP, JavaScript, and CSS source files) and the database (as SQL file) are
uploaded in the CANVAS under Assignment-1 home page. You should add or edit pages to whenever required.

Create a group of 3 people. Then, you are required to configure Alice’s E-Commerce application in your personal
computer or any free websites (where you can host your website) using the knowledge you have learnt from Tutorials 1
to 4.

Once you have configured the application, you are required to demonstrate at least three types of attacks that can be
performed on Alice’s E-Commerce application. For each of the attack, you need to do the followings:
a) Write down all the necessary steps to launch each attack with screenshots.
b) Record the steps in a video and post it in the CANVAS or YouTube (as a private video). Provide the link. You should
not share the link of the video any of your peer groups.
Provide the above items mentioned in (a) and (b) as a group.


Q2. Securing E-Commerce Website from spam and abuse (2+3 = 5 Marks)
In the E-Commerce application that has been provided in the CANVAS in relation to Q1, only registered users should be
authorized to login to the Ecommerce application and trade. A registered user can be either a seller or buyer who needs
to create a user account. It is possible that several fake users are created by human attackers or software bots for
hampering the operation of the E-Commerce application. To protect the E-Commerce application from spam and abuse,
Alice requests you to integrate CAPTCHA in her E-Commerce application.

Considering the security strength of Google’s reCAPTCHA service, you have decided to integrate it in Alice’s application.
a) From the knowledge you have learnt in Tutorial, implement Google’s reCAPTCHA version 2:
i. Design a form similar to the one given in Figure-2.1 to create user account with Google’s reCAPTCHA version 2.
ii. Show step by step processes, with appropriate code segments and screenshots, how Google’s reCAPTCHA version
2 can be applied in the E-Commerce application to prevent creating fake user accounts. Also, record the steps in
a video and post it in the CANVAS or YouTube (as a private video) and provide the link. You should not share the
link of the video any of your peer groups.

,

Page 4 of 10

Figure-2.1: Expected User Registration Page enabled with Google’s reCAPTCHA version 2


b) You have found that Google has a new version of its reCAPTCHA which is reCAPTCHA version 3. When you informed
Alice about the reCAPTCHA version 3, she is convinced that reCAPTCHA version 3 is better.

To make Alice happy:
i. Design a form similar to the one shown in Figure-2.2 to create user accounts with Google’s reCAPTCHA version 3.
ii. Show step by step processes, with appropriate code segments and screenshots, how Google’s reCAPTCHA version
3 can be applied in the E-Commerce application to prevent creating fake user accounts. Also, record the steps in a
video and post it in the CANVAS or YouTube (as a private video) and provide the link. You should not share the link
of the video any of your peer groups.
iii. What are the advantages of using reCAPTCHA version 3?


Figure-2.2: User Registration Page enables with Google’s reCAPTCHA version 3



,

Page 5 of 10
Q3. Simple Multi-Factor Authentication (4 Marks)
Once user accounts have been created, only valid users should be allowed to login and trade using Alice’s E-Commerce
application. However, attackers can still compromise the login system with the aid some sophisticated software. So, you
have decided to integrate the multi-factor authentication in Alice’s E-Commerce application.
Develop an Email-based multi-factor authentication for Alice’s E-Commerce application that has the following
requirements. Also, record the steps in a video and post it in the CANVAS or YouTube (as a private video) and provide the
link. You should not share the link of the video any of your peer groups.

Requirements:
i. Create a simple login form as shown in Figure-3.1. When a user provides a valid email (your RMIT student email)
and password (e.g. 1234), the user should receive a 6-digit random number in his/her email address as shown
in Figure-3.2 and the page to be shown as presented in Figure-3.3.
ii. Once the verification code is provided in the form shown in Figure-3.3, the code should be verified, and the
Success Page is shown (see Figure-3.4). Otherwise, the Failure Page is shown (see Figure-3.5).


Figure-3.1: Login Form for Email-based Two Factor Authentication


Figure-3.2: Email containing the 6-digit Two Factor Authentication code



Figure-3.3: Form to Enter the Verification Code


Figure-3.4: Success Page shown if a valid code is entered


Figure-3.5: Failure Page shown if an invalid code is entered
Q4. Advanced Multi-Factor Authentication (8+4 = 12 Marks)
Once user accounts have been created, only valid users should be allowed to login and trade using Alice’s E-Commerce
application. However, attackers can still compromise the login system by performing the password guessing attack. To
prevent an attacker getting access to the application by simply knowing the password, you have decided to integrate the
multi-factor authentication in Alice’s E-Commerce application.
,

Page 6 of 10
a) Apply Google’s 2-step verification (e.g.2FA, also called 2 Factor Authentication or 2FA) to user accounts of the E-
Commerce application. You need to perform the followings:
i. Create a login form (as shown in Figure-4.1) that would allow you to enter Email and password. Next, provide
steps with necessary code segment and screenshots how you have integrated Goggle’s 2FA in Alice’s E-
Commerce application. Also, record the steps in a video and post it in the CANVAS or YouTube (as a private
video) and provide the link. You should not share the link of the video any of your peer groups.


Figure-4.1: Login Form with Google’s 2 Factor Authentication

iii. Once a user enters correct email and password, a screen (like Figure-4.2 or 4.3) should prompt the user to
enter 2-step verification code as follows:


Figure-4.2: Google’s Form to enter verification code in Google’s 2 Factor Authentication


Figure-4.3: Another Google’s Form to enter verification code in Google’s 2 Factor Authentication

b) Design an SMS-based two factor authentication (2FA) framework and show step-by-step process to implement it in
Alice’s E-Commerce application. In your designed 2FA framework, the E-commerce website should send an SMS to
the verified user’s mobile phone number each time a user provides valid username and password. The verification
code should be a unique short-lived code. Figure-4.4 shows an overview of the system. Show steps with necessary
,

Page 7 of 10
code segment and screenshots. Also, record the steps in a video and post it in the CANVAS or YouTube (as a private
video) and provide the link. You should not share the link of the video any of your peer groups.


Figure-4.4: Overview of SMS-based 2 Factor Authentication system

,

Page 8 of 10
6. Academic integrity and plagiarism (standard warning)
Academic integrity is about honest presentation of your academic work. It means acknowledging the work of others
while developing your own insights, knowledge and ideas. You should take extreme care that you have:
• Acknowledged words, data, diagrams, models, frameworks and/or ideas of others you have quoted (i.e. directly
copied), summarized, paraphrased, discussed or mentioned in your assessment through the appropriate
referencing methods,
• Provided a reference list of the publication details so your reader can locate the source if necessary. This
includes material taken from Internet sites.
If you do not acknowledge the sources of your material, you may be accused of plagiarism because you have passed
off the work and ideas of another person without appropriate referencing, as if they were your own.
RMIT University treats plagiarism as a very serious offence constituting misconduct. Plagiarism covers a variety of
inappropriate behaviors, including:
• Failure to properly document a source
• Copyright material from the internet or databases
• Collusion between students
For further information on our policies and procedures, please refer to the University website.

7. Assessment declaration
When you submit work electronically, you agree to the assessment declaration.


,

Page 9 of 10
8. Rubric/assessment criteria for marking
All of the computations must be correct and only provided values must be used. Instructions must be followed.
Criteria
The characteristic
or outcome that is
being judged. Total
Question 1
Security Attacks on
E-Commerce
Websites

3 different types of attacks are
shown correctly and step-by-step
processes are shown in the
solution with necessary
screenshots.

The link of the video demonstration
is provided.







Any 1 of the followings is satisfied:

1) a. 3 different types of attacks are shown
step-by-step with necessary screenshots.
b. All of the attack methods are shown
correctly.
c. But, the link of the video demonstration
is NOT provided

OR

2) a. 2 different attacks are shown correctly,
and step-by-step and step-by-step processes
are shown with necessary screenshots.
b. The link of the video demonstrations
shows 2 attack methods.


Any 1 of the followings is satisfied:

1) a. 3 different attacks are shown step-by-step without
necessary screenshots.
b. the link of the video demonstrations is NOT provided

OR

2) a. 2 attack methods are shown step-by-step processes
are shown in the solution with necessary codes.
b. Only 2 attack methods are working correctly.
c. The link of the video demonstrations shows 2 attack
methods.

OR

3) All of the three methods are partially shown,

Not answered


9 Marks
9 Marks 6 Marks 3 Marks 0 Marks
Question 2
Securing E-
Commerce
Website from spam
and abuse

Both Q2(a) and Q2(b) are
answered correctly with
required description and
screenshots.


Video demonstration is
provided.










Any 1 of the followings is satisfied:

1) Only Q2(a) is answered
correctly with required description
and screenshots.

Video demonstration is provided.

OR

2) Both Q2(a) and Q2(b) are
partially correct and a few
description and screenshots are
provided.
Video demonstration is provided.


Any 1 of the followings is satisfied:

1) Both Q2(a) and Q2(b) are correct,
but inadequate description and
screenshots are provided.

Video demonstration is NOT provided.

OR

2) Only Q2(b) is answered correctly
with required description and
screenshots.



Video demonstration is NOT provided.

Both Q2(a) and Q2(b) are
attempted. But, answered are not
correct and requirements are not
fulfilled.



Video demonstration is NOT
provided.









Not answered















5 Marks
5 Marks 3 Marks 2 Marks 1 Marks 0 Marks
,

Page 10 of 10
Question 3

Simple Multi-Factor
Authentication

Answered correctly with detail
step-by-step process.

Explanations are excellent.

Video demonstration is provided.








Answer is partially
correct, and detail
step-by-step
process is shown.
Explanations are
satisfactory.

Video
demonstration is
NOT provided.

Answer is correct but detail step-by-
step process is NOT shown.
Explanations are not satisfactory.

However, Video demonstration is
provided.








Answer is partially correct, and detail step-
by-step process is shown. Explanations are
not satisfactory.

Or, Video demonstration is NOT provided.









Not answered













4 Marks
4 Marks 3 Marks 2 Marks 1 Marks 0 Marks
Question 4

Advanced Multi-
Factor
Authentication
Both Q4(a) and Q4(b) are
answered correctly with required
description and screenshots.

















Any 1 of the
followings is
satisfied:

1) Only Q4(a) is
answered correctly
with required
description and
screenshots.

OR

2) Both Q4(a) and
Q4(b) are partially
correct and a few
description and
screenshots are
provided.

Any 1 of the followings is satisfied:

1) Both Q4(a) and Q4(b) are correct,
but inadequate description and
screenshots are provided.

OR

2) Only Q4(b) is answered correctly
with required description and
screenshots.









Both Q4(a) and Q4(b) are attempted. But,
answered are not correct and requirements
are not fulfilled.

















Not answered



















12 Marks
12 Marks 8 Marks 4 Marks 2 Marks 0 Marks