Understanding and Monitoring Embedded Web Scripts

Yuchen Zhou and David Evans

University of Virginia

IEEE Symposium on Security and Privacy (Oakland 15')

  • Introduction

    Modern web applications make frequent use of third-party scripts, often in ways that allow scripts loaded from external servers to make unrestricted changes to the embedding page and access citical resources including private user information. This paper describes tools we developed to assist site administrators in understanding, monitoring, and restricting the behavior of third-party scripts embedded in their site. We developed ScriptInspector, a modified browser that can intercept, record, and check third-party script accesses to critical resources against security policies, along with a Visualizer tool that allows users to conveniently view recorded script behaviors and candidate policies and a PolicyGenerator tool that aids script providers and site administrators in writing policies. Site administrators can manually refine these policies with minimal effort to produce policies that effectively and robustly limit the behavior of embedded scripts. PolicyGenerator is able to generate effective policies for all scripts embedded on 72 out of the 100 test sites with minor human assistance. In this paper, we present the designs of our tools, report on what we've learned about script behaviors using them, evaluate the value of our approach for website administrator.

  • Downloads

    ScriptInspector and PolicyGenerator can be downloaded here. Please follow instructions on the GitHub README page for more details.

  • Paper

    Our paper is to appear at IEEE S&P (Oakland) 2015, to be held at San Jose. Please click here to download the paper. If you have any questions, don't hesitate to email me.

    In the paper, we referred readers to this website for a complete list of URLs that we constructed policies for. Please click here to see. Now, We've also made all the base and site-specific policies available to public via download. These policies are accurate as of Feburary, 2015.