The Development Of Chrome Plugin About Secure Payment Based On HTML5

HTML5 is the newest standard for the web technology. Compared with the traditional ways, it has great advantages such as more features, more cross-platform supported and more reasonably defined. With the opportunity that brought about by both the mature of the HTML5 and the Rich Internet Applications, web pages and web applications would all use HTML5 technology in the future. Today, online shopping and banking are changing people's shopping habits and financial concepts because of their simplicity in process, higher discount and more profits. Online shopping, transfer payments and financial products purchasing have now already become essential parts of people's daily life. However, online shopping and payment cannot be conducted without the support of the browser, meantime, chrome browser has already occupied a large share in the market for its fast searching speed and high safety performance. Under this circumstance, the studies of chrome extension on secure payment based on HTML5 are very prospective and necessary.Although HTML5 technology would bring a lot of conveniences to people's lives, it also brings about a lot of security issues, moreover, currently most of the security policies on these issues are vulnerable. On the basis of a thorough study of HTML5 secure payment, this thesis analyzes five different aspects of HTML5 security issues, which are listed as follows.1. Firstly, this thesis analyzes the new XSS attack triggered by new HTML5 tags and new attributes. Secondly, it comes to the network scanning using Web Socket protocol. Thirdly, sensitive information stealing with Web Storage is considered as well. Meantime, the new hijacking attacks with the use of Drag-and-Drop events and DDOS attacks caused by the Web Worker are also well studied.2. According to the implementation differences among the vulnerability exploit, online payment process in server and client end, we summarize the above five issues as the abuse of XSS and Web Socket. And then, we design and implement a secure payment plugin.3. The plugin intercepts sensitive characters by monitoring changes in the input box and page URL. For the new labels and new properties which may cause XSS, compared with the original defense strategy it adopts a more stringent way in expression matching and gets them filtered respectively by the blacklist and whitelist. In the defense against the XSS, considering various possible forms of attack with the new tags and attributes, the blacklist and whitelist security policies are more comprehensive compared with the traditional ones.4. The plugin uses information sniffing and characteristic parameter matching method to distinguish the aggressive behaviors from normal ones. In this way one can defend the attack which using Web Socket to conduct the IP network scanning, port scanning, and personal IP detection. And this method is innovative.Finally, attack tests show that attacks against HTML5 do exist, and after the plugin is installed, defense tests show that it carried out a successful defense. In conclusion, the defensive approaches taken in this thesis are effective for the new attacks in HTML5, and it can provide a strong guarantee for the secure payment based on HTML5 technology.