Understanding and Monitoring Embedded Web Scripts

Modern web applications make frequent use of third-party scripts, often in ways that allow scripts loaded from external servers to make unrestricted changes to the embedding page and access citical resources including private user information.

Overview

ScriptInspector assists site administrators in understanding, monitoring, and restricting the behavior of third-party scripts embedded in their site. ScriptInspector is a modified browser that can intercept, record, and check third-party script accesses to critical resources against security policies.

ScriptInspector includes a Visualizer tool that allows users to conveniently view recorded script behaviors and candidate policies and a PolicyGenerator tool that aids script providers and site administrators in writing policies. Site administrators can manually refine these policies with minimal effort to produce policies that effectively and robustly limit the behavior of embedded scripts.

Paper

Yuchen Zhou and David Evans. Understanding and Monitoring Embedded Web Scripts. 36th IEEE Symposium on Security and Privacy (“Oakland”). San Jose, CA. 18-20 May 2015.

Full paper (16 pages): [PDF]

Source Code

https://github.com/Treeeater/JSAccessVisualizer
Includes code for the ScriptInspector, Visualizer, and PolicyGenerator.

Policies

Browse Policies (or download a .zip file with all policies)
Spreadsheet with list of URLs and full policy data (.xlsx)

Authors

Yuchen Zhou (University of Virginia; now at Palo Alto Networks)
David Evans (University of Virginia)