FraudNet payloads reference
DOCS
Last updated: Aug 15th, 7:03am
FraudNet delivers several payloads. This section describes the variables for each payload and provides further information about FraudNet payloads.
Payload P1 (POST 1)
| Field Name | Source | Description |
|---|---|---|
appId | (client-generated) | Client-generated source ID passed to FraudNet |
correlationId | (client-generated) | Client-randomly-generated sequence passed to FraudNet. Identical to CMID, and must be unique per session, with the CMID in the Fraudnet payloads matching the CMID in the payment API call. Maximum length: 32 characters |
| Category: payload | ||
referer | document.referrer | Header indicating the URL of the page where FraudNet is embedded |
URL | document.URL | Returns the location of the current document |
rvr | (generated) | Version of the FraudNet JavaScript |
activeXDefined | window.ActiveXObject | (IE only) Returns if an ActiveX is defined for Internet Explorer |
tz | (generated) | Browser’s time zone (utc_offst_ms_cnt/3600000) |
tzName | (generated) | Browser’s time zone, in long format |
time | new Date().getTime() | Current time returned by the FraudNet JavaScript |
| Category: payload.navigator | ||
appName | window.navigator | Name of the browser |
appVersion | window.navigator | Version of the browser |
cookieEnabled | window.navigator | Returns whether cookies are enabled in the browser |
language | window.navigator | Language of the browser application |
onLine | window.navigator | Returns whether the browser is working online |
platform | window.navigator | Name of the operating system platform |
product | window.navigator | String containing information about the browser engine |
productSub | window.navigator | String containing the development build number of the browser engine |
userAgent | window.navigator | String representing the user agent header |
vendor | window.navigator | String specifying the name of the browser vendor |
vendorSub | window.navigator | String specifying the name of the browser sub-vendor |
| Category: payload.screen | ||
colorDepth | window.screen | Number of bits used to represent the color of a single pixel on the screen, or in the buffer when off-screen buffering is enabled |
pixelDepth | window.screen | Screen pixel depth bit count |
height | window.screen | Vertical resolution of the screen, in pixels |
width | window.screen | Horizontal resolution of the screen, in pixels |
availHeight | window.screen | Returns the height of the working area of the system’s screen, excluding the Windows taskbar |
availWidth | window.screen | Returns the width of the working area of the system’s screen, excluding the Windows taskbar |
| Category: payload.window | ||
outerHeight | window.outerHeight | Returns the height of the outside of the browser window |
outerWidth | window.outerWidth | Returns the width of the outside of the browser window |
innerHeight | window.innerHeight | Returns the height of the content area of the browser window including, if rendered, the horizontal scrollbar |
innerWidth | window.innerWidth | Returns the width of the content area of the browser window including, if rendered, the vertical scrollbar |
devicePixelRatio | window.devicePixelRatio | Returns the ratio between physical pixels and device independent pixels of the existing display |
| Category: payload.flashVersion | ||
major | navigator.plugin | Major version number of the Flash plugin |
minor | navigator.plugin | Minor version number of the Flash plugin |
release | navigator.plugin | Release version of the Flash plugin |
| Category: payload.pt1 | ||
cd1 | performance.now() | Time taken to collect data for the first post (P1) |
pp1 | performance.now() | Time taken from FraudNet start until pre post (P1) |
i | performance.now() | Time taken for FraudNet to load iFrame (P1) |
ph1 | (generated) | Checksum generated value |
sf | (generated) | Four digit spoof-flag. Checks user agent, global properties, outer width/height, Selenium |
tb | (generated) | Sets the trueBrowser property. Corresponds to an enum of the browser: Chrome, Safari, Firefox, IE |
| Category: payload.asynchk | ||
ph2 | (generated) | Checksum generated based on properties within the payload |
o | (generated) | Order based on which the checksum string is generated. Last digit being random generated number between 1 - 5 |
| Category: payload.connectionData | ||
effectiveType | (generated) | Effective connection type |
downlink | FN Internal | Effective bandwidth estimate in mbps |
type | FN Internal | Connection type |
downlinkMax | FN Internal | Upper bound on the downlink speed of the first network hop |
rtt | FN Internal | round-trip time estimate in ms |
Payload P2 (POST 2)
| Field Name | Source | Description |
|---|---|---|
appId | Client-generated | Source ID of the FraudNet application |
correlationId | Client-generated | Client-randomly-generated sequence passed to FraudNet |
fsoError (deprecated) | (generated) | Returns true if Flash fails to load. |
fsold (deprecated) | (generated) | PayPal FSO. Only present if the user has logged in previously to paypal.com |
| Category: payload.data | ||
fonts (deprecated) | Flash - enumerateFonts() | The fonts in a comma-delimited list sorted in ascending order |
dom | (generated) | Returns a string of the DOM tree HTML elements |
| Category: payload.data.plugins | ||
n | navigator.plugins[x] | Returns the name of the plugin created by the application creator |
v | navigator.plugins[x] | Returns the version of the plugin. This does not populate for the Chrome or Safari browsers |
fn | navigator.plugins[x] | Returns the name of the current plugin, including the extension |
d | window.navigator | Returns the description supplied by the plugin creator |
t | (generated) | Returns the name of the MIME type associated to the plugin |
s | (generated) | Returns a string value that contains a comma-separated list of possible file extensions for the current MIME type |
| Category : payload.data.vm | ||
cores | navigator.hardwareConcurrency | Number of logical processors available to run threads on the user’s device |
| Category: payload.data.vm.gpu | ||
vendor | WebGL | Vendor string of the graphics driver |
renderer | WebGL | Renderer string of the graphics driver |
| Category: payload.data.vm.jsMem | ||
usedJSHeapSize | window.performance.memory | Amount of memory in bytes currently being used. Chrome only. Based on the entire Chrome process. |
totalJSHeapSize | window.performance.memory | Amount of memory in bytes that the JS heap has allocated, including free space. Chrome only. Based on the entire Chrome process. |
jsHeapSizeLimit | window.performance.memory | Amount of memory in bytes to which the JS heap is limited. Chrome only. Based on the entire Chrome process. |
| Category: payload.data.vm.perfNav | ||
navigationStart | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the prompt to unload terminates on the previous document in the same browsing context. If there is no previous document, this value is the same as PerformanceTiming.fetchStart. |
unloadEventStart | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the unload event has been thrown. This indicates the time at which the previous document in the window began to unload. If there is no previous document, or if the previous document or one of the needed redirects is not of the same origin, the value returned is 0. |
unloadEventEnd | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the unload event handler finishes. If there is no previous document, or if the previous document, or one of the needed redirects, is not of the same origin, the value returned is 0. |
redirectStart | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the first HTTP redirect starts. If there is no redirect, or if one of the redirects is not of the same origin, the value returned is 0. |
redirectEnd | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the last HTTP redirect is completed. This is when the last byte of the HTTP response has been received. If there is no redirect, or if one of the redirects is not of the same origin, the value returned is 0. |
fetchStart | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the browser is ready to fetch the document using an HTTP request. This moment is before the check to any application cache. |
domainLookupStart | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the domain lookup starts. If a persistent connection is used, or the information is stored in a cache or a local resource, the value will be the same as PerformanceTiming.fetchStart. |
domainLookupEnd | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the domain lookup is finished. If a persistent connection is used, or the information is stored in a cache or a local resource, the value will be the same as PerformanceTiming.fetchStart. |
connectStart | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the request to open a connection is sent to the network. If the transport layer reports an error, and the connection establishment is started again, the last connection establishment start time is given. If a persistent connection is used, the value is the same as PerformanceTiming.fetchStart. |
connectEnd | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the connection is opened network. If the transport layer reports an error, and the connection establishment is started again, the last connection establishment end time is given. If a persistent connection is used, the value is the same as PerformanceTiming.fetchStart. A connection is considered as opened when all secure connection handshake or SOCKS authentication is terminated. |
secureConnectionStart | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the secure connection handshake starts. If no such connection is requested, it returns 0. |
requestStart | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the browser sent the request to obtain the document from the server or from a cache. If the transport layer fails after the start of the request, and the connection is reopened, this property is set to the time corresponding to the new request. |
responseStart | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the browser received the first byte of the response from the server, from a cache, or from a local resource. |
responseEnd | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the browser received the last byte of the response or that the connection is closed (if this happens first) from the server, from the cache, or from a local resource. |
domLoading | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the parser started its work. That is when its Document.readyState changes to loading, and the corresponding readystate change event is thrown. |
domInteractive | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the parser finished its work on the main document. That is when its Document.readyState changes to interactive, and the corresponding readystate change event is thrown. |
domContentLoadedEventStart | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that is just before the parser sent the DOMContentLoaded event. That is just after all the scripts that must be executed immediately after parsing has been executed. |
domContentLoadedEventEnd | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, just after all the scripts that must be executed as soon as possible (in order or not) have been executed. |
domComplete | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the parser finished its work on the main document. That is when its Document.readyState changes to complete, and the corresponding readystate change event is thrown. |
loadEventStart | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the load event was sent for the current document. If this event has not yet been sent, it returns 0. |
loadEventEnd | window.performance.timing | An unsigned long long that represents the duration in milliseconds, since the UNIX epoch, that the load event handler terminated. That is when the load event is completed. If this event has not yet been sent or is not yet completed, it returns 0. |
| Category: payload.data.vm.timing | ||
cores | (internal timing) | Time taken to get the cores data |
gpu | (internal timing) | Time taken to get the GPU data |
jsMem | (internal timing) | Time taken to get the JS Memory data |
perfNav | (internal timing) | Time taken to get the performance navigation timing data |
total | (internal timing) | Total time to get the VM attributes |
| Category: payload.sc | ||
sc-lst (deprecated) | (generated) | Supercookie using browser’s local storage |
sc-flash | (generated) | Supercookie using the Flash plugin’s Local Storage Object |
httpCookie | (generated) | Indicates whether to set the HTTP supercookie. Controlled by the client. |
| Category: payload.pt2 | Collects the FraudNet performance timings | |
flash (deprecated) | performance.now() | Returns the time taken to load the Flash (.swf) |
cp | performance.now() | Returns the time taken to collect the plugins |
cd | performance.now() | Returns the time taken to collect the data for the second post (p2) |
cd2 | performance.now() | Returns the time taken to collect the data for the second post (p2) |
Payload P3 and w
| Field Name | Source | Description |
|---|---|---|
| Category: p3 | ||
ipV6 | (generated) | The ipV6 address captured at c6.paypal.com, from Akamai. |
rDT | (generated) | The mouse movement on the page is captured. Refer to the mouse movement parameter mm under Configuration Parameters. |
| Category: w | ||
ts1 | (generated) | The typing speed of the first field, without capturing the actual keys that are being pressed. Refer to the typing speed parameter ts under Configuration Parameters. |
ts2 | (generated) | The typing speed of the second field, without capturing the actual keys that are being pressed. Refer to the typing speed parameter ts under Configuration Parameters. |
Sample P1 data
1{2 "appId": "test",3 "correlationId": "041f755b3eba437e8922b9228a62f85a",4 "payload": {5 "navigator": {6 "appName": "Netscape",7 "appVersion": "5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",8 "cookieEnabled": true,9 "language": "en-US",10 "onLine": true,11 "platform": "MacIntel",12 "product": "Gecko",13 "productSub": "20030107",14 "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36",15 "vendor": "Google Inc.",16 "vendorSub": ""17 },18 "screen": {19 "colorDepth": 24,20 "pixelDepth": 24,21 "height": 1440,22 "width": 2560,23 "availHeight": 1373,24 "availWidth": 256025 },26 "window": {27 "outerHeight": 1291,28 "outerWidth": 1133,29 "innerHeight": 0,30 "innerWidth": 0,31 "devicePixelRatio": 132 },33 "referer": "",34 "URL": "https://www.stage2mb044.stage.paypal.com/FDRegression/fn2/new.html?f=041f755b3eba437e8922b9228a62f85a&s=test",35 "rvr": "20180123",36 "activeXDefined": false,37 "flashVersion": {38 "major": 0,39 "minor": 0,40 "release": 041 },42 "tz": -28800000,43 "tzName": "America/Los_Angeles",44 "dst": true,45 "time": 1517263821249,46 "pt1": {47 "i": "131.00",48 "pp1": "168.00",49 "cd1": "3.00",50 "ph1": "11784.00",51 "sf": "0000",52 "tb": 153 },54 "connectionData": {55 "effectiveType": "4g",56 "rtt": "50",57 "downlink": "8.75"58 },59 "asynchk": {60 "ph2": "b2a57fe0702a790eb44e702dc0aaee29badec4e5f2d2e1f99de34a2380b7c658",61 "o": [62 "ua",63 "colorDepth",64 "width",65 "tz",66 "time",67 "appId",68 "correlationId",69 "1"70 ]71 }72 }73}
Sample P2 data
1{2 "appId": "test",3 "correlationId": "041f755b3eba437e8922b9228a62f85a",4 "fsoError": true,5 "fsoId": null,6 "payload": {7 "data": {8 "plugins": [9 {10 "mT": [11 {12 "t": "application/x-google-chrome-pdf",13 "s": "pdf"14 }15 ],16 "n": "Chrome PDF Plugin",17 "fn": "internal-pdf-viewer",18 "d": "Portable Document Format"19 },20 {21 "mT": [22 {23 "t": "application/pdf",24 "s": "pdf"25 }26 ],27 "n": "Chrome PDF Viewer",28 "fn": "mhjfbmdgcfjbbpaeojofohoefgiehjai",29 "d": ""30 },31 {32 "mT": [33 {34 "t": "application/x-nacl",35 "s": ""36 },37 {38 "t": "application/x-pnacl",39 "s": ""40 }41 ],42 "n": "Native Client",43 "fn": "internal-nacl-plugin",44 "d": ""45 },46 {47 "mT": [48 {49 "t": "application/x-ppapi-widevine-cdm",50 "s": ""51 }52 ],53 "n": "Widevine Content Decryption Module",54 "fn": "widevinecdmadapter.plugin",55 "d": "Enables Widevine licenses for playback of HTML audio/video content. (version: 1.4.8.1030)"56 }57 ],58 "dom": "<DIV <H2 INPUT INPUT BR BR BR BUTTON BR BR BR BUTTON >SCRIPT SCRIPT IFRAME IFRAME >",59 "vm": {60 "cores": 8,61 "gpu": {62 "vendor": "ATI Technologies Inc.",63 "renderer": "AMD Radeon Pro 460 OpenGL Engine"64 },65 "jsMem": {66 "usedJSHeapSize": 35100000,67 "totalJSHeapSize": 37300000,68 "jsHeapSizeLimit": 219000000069 },70 "perfNav": {71 "navigationStart": 1517264089791,72 "unloadEventStart": 0,73 "unloadEventEnd": 0,74 "redirectStart": 0,75 "redirectEnd": 0,76 "fetchStart": 1517264089792,77 "domainLookupStart": 1517264089792,78 "domainLookupEnd": 1517264089792,79 "connectStart": 1517264089792,80 "connectEnd": 1517264089792,81 "secureConnectionStart": 0,82 "requestStart": 1517264089798,83 "responseStart": 1517264089837,84 "responseEnd": 1517264089842,85 "domLoading": 1517264089843,86 "domInteractive": 1517264089939,87 "domContentLoadedEventStart": 1517264089939,88 "domContentLoadedEventEnd": 1517264089940,89 "domComplete": 1517264089940,90 "loadEventStart": 1517264089940,91 "loadEventEnd": 151726408994092 },93 "timing": {94 "cores": "0.00",95 "gpu": "16.00",96 "jsMem": "0.00",97 "perfNav": "0.00",98 "total": "17.00"99 }100 }101 },102 "sc": {103 "sc-flash": null,104 "sc-lst": "TaNucHr3uGN3LHNQXMxoteKkRXW715L30h2z5T1Uey5kEKqK6shq5duQCGGXxhh9nxTe8o7Q6rPmsDkT6AyxsGlcqhQZLFrgb-kL6W",105 "httpCookie": true106 },107 "pt2": {108 "cd2": "19.00",109 "cp": "0.00",110 "flash": "0.00"111 }112 }113}