Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild

Moog, Marvin; Demmel, Markus; Backes, Michael; Fass, Aurore

doi:10.1109/dsn48987.2021.00065

Cited by 15 publications

(5 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Dynamic nature of JS.. We find that a number of scripts use dynamic features such as eval() and anonymous functions [63,68]. A number of scripts also employ JS minification and obfuscation techniques that produce code that is uninterpretable manually [70].…”

Section: Discussionmentioning

confidence: 96%

“…Functional behavior in tracking scripts can also exist due to the dynamic nature of webpages. Between the tracking score measurement and blocking experiments, the script may have changed, or the webpage deliberately refactors the script slightly for reasons such as JS obfuscation [69] or minification [63]. For better threshold selection, we must answer what are the consequences of widening the tracking score threshold?…”

Section: Rq3: Prevalence Of Mixed Scriptsmentioning

confidence: 99%

See 1 more Smart Citation

Blocking JavaScript without Breaking the Web: An Empirical Investigation

Amjad¹,

Shafiq²,

Gulzar³

2023

Preprint

View full text Add to dashboard Cite

Modern websites heavily rely on JavaScript (JS) to implement legitimate functionality as well as privacy-invasive advertising and tracking. Browser extensions such as NoScript block any script not loaded by a trusted list of endpoints, thus hoping to block privacy-invasive scripts while avoiding breaking legitimate website functionality. In this paper, we investigate whether blocking JS on the web is feasible without breaking legitimate functionality. To this end, we conduct a large-scale measurement study of JS blocking on 100K websites. We evaluate the effectiveness of different JS blocking strategies in tracking prevention and functionality breakage. Our evaluation relies on quantitative analysis of network requests, and resource loads as well as manual qualitative analysis of visual breakage. First, we show that while blocking all scripts is quite effective at reducing tracking, it significantly degrades functionality on approximately two-thirds of the tested websites. Second, we show that selective blocking of a subset of scripts based on a curated list achieves a better tradeoff. However, there remain approximately 15% "mixed" scripts, which essentially merge tracking and legitimate functionality and thus cannot be blocked without causing website breakage. Finally, we show that fine-grained blocking of a subset of JS methods, instead of scripts, reduces major breakage by 3.7× while providing the same level of tracking prevention. Our work highlights the promise and open challenges in fine-grained JS blocking for tracking prevention without breaking the web.

show abstract

Section: Discussionmentioning

confidence: 96%

Section: Rq3: Prevalence Of Mixed Scriptsmentioning

confidence: 99%

Blocking JavaScript without Breaking the Web: An Empirical Investigation

Amjad¹,

Shafiq²,

Gulzar³

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Dynamic nature of JS. We find that a number of scripts use dynamic features such as eval() and anonymous functions [59,65]. A number of scripts also employ JS minification and obfuscation techniques that produce code that is uninterpretable manually [61,67].…”

Section: Discussionmentioning

confidence: 99%

“…Functional behavior in tracking scripts can also exist due to the dynamic nature of webpages. Between the tracking score measurement and blocking experiments, the script may have changed, or the webpage deliberately refactors the script slightly for reasons such as JS obfuscation [61,67] or minification [59]. For better threshold selection, we must answer what are the consequences of widening the tracking score threshold?…”

Section: Rq3: Prevalence Of Mixed Scriptsmentioning

confidence: 99%

Blocking JavaScript Without Breaking the Web: An Empirical Investigation

Amjad

Shafiq

Gulzar

2023

PoPETs

View full text Add to dashboard Cite

Modern websites heavily rely on JavaScript (JS) to implement legitimate functionality as well as privacy-invasive advertising and tracking. Browser extensions such as NoScript block any script not loaded by a trusted list of endpoints, thus hoping to block privacy-invasive scripts while avoiding breaking legitimate website functionality. In this paper, we investigate whether blocking JS on the web is feasible without breaking legitimate functionality. To this end, we conduct a large-scale measurement study of JS blocking on 100K websites. We evaluate the effectiveness of different JS blocking strategies in tracking prevention and functionality breakage. Our evaluation relies on quantitative analysis of network requests and resource loads as well as manual qualitative analysis of visual breakage. First, we show that while blocking all scripts is quite effective at reducing tracking, it significantly degrades functionality on approximately two-thirds of the tested websites. Second, we show that selective blocking of a subset of scripts based on a curated list achieves a better trade-off. However, there remain approximately 15% “mixed” scripts, which essentially merge tracking and legitimate functionality and thus cannot be blocked without causing website breakage. Finally, we show that fine-grained blocking of a subset of JS methods, instead of scripts, reduces major breakage by 3.8× while providing the same level of tracking prevention. Our work highlights the promise and open challenges in fine-grained JS blocking for tracking prevention without breaking the web.

show abstract

“…Bundlers often apply code transformations during the bundling process thus, the code they produce can be considered transformed. Skolka et al [40] and Moog et al [29] study two types of transformed code: minification and obfuscation. Minification is natively supported by most bundlers, thus, a very common transformation applied to bundled code.…”

Section: Related Workmentioning

confidence: 99%

Jack-in-the-box: An Empirical Study of JavaScript Bundling on the Web and its Security Implications

Rack,

Staicu

2023

Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

In recent years, we have seen an increased interest in studying the software supply chain of user-facing applications to uncover problematic third-party dependencies. Prior work shows that web applications often rely on outdated or vulnerable third-party code. Moreover, real-world supply chain attacks show that dependencies can also be used to deliver malicious code, e.g., for carrying cryptomining operations. Nonetheless, existing measurement studies in this domain neglect an important software engineering practice: developers often merge together third-party code into a single file called bundle, which they then deliver from their own servers, making it appear as first-party code. Bundlers like Webpack or Rollup are popular open-source projects with tens of thousand of GitHub stars, suggesting that this technology is widely-used by developers. Ignoring bundling may result in underestimating the complexity of modern software supply chains.In this work, we aim to address these methodological shortcomings of prior work. To this end, we propose a novel methodology for automatically detecting bundles, and partially reverse engineer them. Using this methodology, we conduct the first large-scale empirical study of bundled code on the web and examine its security implications. We provide evidence about the high prevalence of bundles, which are contained in 40% of all websites, and the average website includes more than one bundle. Following our methodology, we reidentify 1 051 vulnerabilities originating from 33 vulnerable npm packages, included in bundled code. Among the vulnerabilities, we find 17 critical and 59 high severity ones, which might enable malicious actors to execute attacks such as arbitrary code execution. Analyzing the low-rated libraries included in bundles, we discover 10 security holding packages, which suggest that supply-chain attacks affecting bundles are not only possible, but they are already happening. CCS CONCEPTS• Security and privacy → Web application security; Software reverse engineering; • Software and its engineering → Software libraries and repositories.

show abstract

Statically Detecting JavaScript Obfuscation and Minification Techniques in the Wild

Cited by 15 publications

References 17 publications

Blocking JavaScript without Breaking the Web: An Empirical Investigation

Blocking JavaScript without Breaking the Web: An Empirical Investigation

Blocking JavaScript Without Breaking the Web: An Empirical Investigation

Jack-in-the-box: An Empirical Study of JavaScript Bundling on the Web and its Security Implications

Contact Info

Product

Resources

About