隨著網路的蓬勃發展，大多數的網路使用者透過瀏覽器來閱覽各式網站。為了提升使用者於瀏覽網頁時的方便性以加強使用者體驗，各瀏覽器先後提出了擴充功能的概念以供人製作及使用。然而，擴充功能如同網頁一般，亦存在著隱私洩漏、敏感性資料傳輸等風險；或者其本身就是一個惡意擴充功能，原來的目的即為竊取資料而被製作出來；又或者一個本身無害的擴充功能經過第三方竄改而成為惡意擴充功能。
在此篇研究中，我們的系統將對目標擴充功能進行程式碼掃描，並針對掃描得出的特徵與建置於系統中的manifest、HTML 及JavaScript 的向量進行比對及靜態分析；其中manifest 主要針對基本設定以及權限部分進行檢查，而HTML及JavaScript 則針對跨站腳本攻擊等攻擊方式進行可能引發的漏洞偵測及預防。產生的報表除了顯示可能產生漏洞的特徵及其相對的嚴重程度之外，亦會指出其位於目標擴充功能的位置以及相關描述，以幫助使用者對該風險進行評估並能有更進一步的認識。此外，對於某些設定上的風險，此系統亦會對其進行適當設定的建議，以供擴充功能製作者參考。

With vigorous growth of the Internet, most network users access websites through browsers. In order to extend user’s convenience in browsing web pages thus enhance user experience, browsers have proposed the concept of browser extension for people to produce and use. However, as with common websites, there are risks of user privacy exposure and sensitive data transmission in browser extensions. Extension itself may also be malicious, which was made with original intention of stealing privacy information. It is also possible that a benign browser extension becomes a malicious extension after third-party tampering.
In this study, we construct a system that scan through the code of the extension and carry out static analysis and comparison of the extracted features with vectors. The vectors built in the system are related to manifest, HTML, and JavaScript. Vectors about manifest are mainly for basic setting and permission checking, while those about HTML and JavaScript are for inspection and prevention of web site attack like cross-site scripting (XSS). Apart from features that may cause vulnerabilities and their level of severity, the report produced by the system will point out the position of the feature in the extension and its related description to help users carry out risk assessment and obtain better understanding of possible vulnerabilities. Moreover, for the settings that may cause vulnerabilities, our system will also make suggestions for appropriate settings, which can serve as the reference for extension developers.

Table of Contents---------------------------i
List of Figures-----------------------------iii
List of Tables------------------------------iv
1 Introduction------------------------------1
1.1 Motivation------------------------------2
1.2 Contribution----------------------------2
1.3 Organization----------------------------3
2 Background--------------------------------4
2.1 Browser Extension-----------------------4
2.2 Extension Manifest File-----------------5
2.3 Cross-Site Scripting (XSS)--------------6
2.3.1 Non-persistent XSS--------------------7
2.3.2 Persistent XSS------------------------7
2.3.3 DOM-based XSS-------------------------7
2.4 Sinks in DOM-based XSS------------------9
2.4.1 Document sink-------------------------10
2.4.2 Location sink-------------------------10
2.4.3 Execution sink------------------------11
3 Related Works-----------------------------13
4 System Design-----------------------------15
4.1 Goal------------------------------------15
4.2 Framework-------------------------------16
4.2.1 Initialization stage------------------16
4.2.2 Analysis stage------------------------17
4.2.3 Report stage--------------------------19
5 Implementation----------------------------20
5.1 System Requirement----------------------20
5.2 Tools-----------------------------------21
5.2.1 Node.js modules-----------------------21
5.2.2 HTML Parser---------------------------22
5.2.3 wkhtmltopdf---------------------------22
5.3 System Details--------------------------22
5.3.1 Severity level classification---------22
5.3.2 Manifest analysis---------------------24
5.3.3 HTML analysis-------------------------28
5.3.4 JavaScript analysis-------------------31
5.3.5 Report--------------------------------32
6 System Evaluation-------------------------37
6.1 Experiment Design-----------------------37
6.1.1 Environment and settings--------------37
6.1.2 Sample test set-----------------------38
6.2 Experimental Result---------------------39
7 Conclusion--------------------------------40
7.1 Conclusion------------------------------40
7.2 Future Works----------------------------41
Bibliography--------------------------------42

[1] Chrome web store.https://chrome.google.com/webstore/category/extensions.
[2] Opera addons. https://addons.opera.com.
[3] Trustworthy chrome extensions, by default. https://security.googleblog.com/2018/10/trustworthy-chrome-extensions-by-default.html.
[4] Wikipedia: Browser extension.https://en.wikipedia.org/wiki/Browser_extension.
[5] Wikipedia: Html. https://en.wikipedia.org/wiki/HTML.
[6] Wikipedia: Cascading style sheets.https://en.wikipedia.org/wiki/Cascading_Style_Sheets.
[7] Wikipedia: Javascript. https://en.wikipedia.org/wiki/JavaScript.
[8] Malicious chrome extensions enable criminals to impact half a million usersand global businesses. https://atr-blog.gigamon.com/2018/01/18/malicious-chrome-extensions-enable-criminals-to-impact-half-a-million-users-and-global-businesses/.
[9] Google chrome extension developer guide: Manifest file format.https://developers.chrome.com/extensions/manifest.
[10] Mozilla firefox extension developer guide: manifest.json.https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json.
[11] Opera extension developer guide: Manifest files.https://dev.opera.com/extensions/manifest/.
[12] Wikipedia: Cross-site scripting.https://en.wikipedia.org/wiki/Cross-site_scripting.
[13] Dom based xss. https://www.owasp.org/index.php/DOM_Based_XSS.
[14] Wikipedia: Document object model.https://en.wikipedia.org/wiki/Document_Object_Model.
[15] Dom-based xss–the 3 sinks.https://brutelogic.com.br/blog/dom-based-xss-the-3-sinks/.
[16] Javascript eval() function.https://www.w3schools.com/jsref/jsref_eval.asp.
[17] Nicolas, Golubovic : Attacking browser extensions (May 2016).https://golubovic.net/thesis/master.pdf.
[18] Sanchez-Rola Iskander, Santos Igor, and Balzarotti Davide. Extensionbreakdown: Security analysis of browsers extension resources control policies.In Proceedings of the 26th USENIX Security Symposium, pages 679–694,August 2017.
[19] Roy Sudakshina, Singha and K.P. Jevitha. Cbeat: Chrome browser extensionanalysis tool. In S. Thampi, G. Martínez, Pérez, C. Westphall, J. Hu, C. Fan,and F. Gómez, Mármol, editors, Communications in Computer andInformation Science, volume 746, pages 364–378, Singapore, November 2017.Springer.
[20] Node.js documentation: child_process.https://nodejs.org/api/child_process.html.
[21] Npm package: express. https://www.npmjs.com/package/express.
[22] Node.js documentation: fs. https://nodejs.org/api/fs.html.
[23] Npm package: formidable. https://www.npmjs.com/package/formidable.
[24] Node.js documentation: http. https://nodejs.org/api/http.html.
[25] Html parser in python.https://docs.python.org/3/library/html.parser.html.
[26] wkhtmltopdf official website. https://wkhtmltopdf.org/.
[27] Owasp top ten project.https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
[28] Google chrome extension developer guide.https://developers.chrome.com/extensions.
[29] Mozilla firefox extension developer guide. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions.
[30] Opera extension developer guide. https://dev.opera.com/extensions/.
[31] Microsoft edge extension developer guide. https://docs.microsoft.com/en-us/microsoft-edge/extensions/guides.
[32] Microsoft store. https://www.microsoft.com/en-us/store/b/home.