Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO.

Published byDamian West Modified over 9 years ago

Similar presentations

Presentation on theme: "Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO."— Presentation transcript:

1 Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO

2 Introduction

3 Example: New York Times Website

4 Related Work  Client-side script protections.  Script transformations.  Policy generation.

5 Motivation Introduces tools to assist site administrators in understanding, monitoring, and restricting the behavior of third-party scripts embedded in their site.

6 OVERVIEW  Introduction & Pervious Works  Motivation  Design  Policing  Inspecting Script Behavior  Visualizing  More Design Details  Developing Base Polices  Developing Site-Specific Polices  Police Evaluations  Conclusions & Quizzes

7 BASIC DESIGN

8

9 Document Object Model(DOM)

10 POLICIES

11 Node Descriptor AbsoluteXPath: /HTML[1]/BODY[1]/DIV[1]/ SelectorXPath: // DIV[@class=‘ad’] Regular Expression Xpath //DIV[@ID=‘adSize−\d ∗ x\d ∗ ’] ^NodeSelector ˆˆ// DIV[@ID=‘adPos’] // DIV[@ID=‘adPos’]/DIV[2]

12 INSPECTING SCRIPT BEHAVIOR Recording accesses Checking policies DOM access recording Recording other actions Script-injected nodes Attribution

13 VISUALIZATION

14 FINDINGS Browser properties Network Modifying page content Reading page content

15 DEVELOPING BASE POLICIES Evaluation method Base policy examples Analytics scripts Advertisements Social widgets Web development 25 selected scripts, 1000 highest ranked websites

16 Analytics scripts

17 DEVELOPING SITE-SPECIFIC POLICIES PolicyGenerator Site-specific policy examples

18 POLICY EVALUATION Policy size

19 POLICY EVALUATION Policy robustness

20 Conclusion ScriptInspector Visualizer PolicyGenerator Threat model Capable of intercepting and recording API calls from third-party scripts to critical resources, including the DOM, local storage, and network Firefox extension that uses the instrumented DOM maintained by ScriptInspector to highlight nodes accessed by third-party scripts and help a site administrator understand script behaviors. PolicyGenerator to help site administrators develop effective policies with limited human intervention Provide site administrators with a way to ensure the integrity of their site and protect the privacy of their users from embedded scripts

21 Quizzes What are the 4 major Script groups based on this paper What is the limitation of this system? What is the DOM?

Download ppt "Understanding and Monitoring Embedded Web Scripts Yuchen Zhou, David Evans, University of Virginia PRESENT BY ZEYI TAO."

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.

On the Incoherencies in Web Browser Access Control Policies Authors: Kapil Singh, et al Presented by Yi Yang.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
Interactive Mapping API’s MDIT - Center for Shared Solutions.

Interactive Mapping API’s MDIT - Center for Shared Solutions.
ARCS Data Analysis Software An overview of the ARCS software management plan Michael Aivazis California Institute of Technology ARCS Baseline Review March.

ARCS Data Analysis Software An overview of the ARCS software management plan Michael Aivazis California Institute of Technology ARCS Baseline Review March.
SWE 444: Internet & Web Application Development0.1 SWE 444 Internet and Web Application Development Dr. Abdallah Al-Sukairi and Dr. Sahalu Junaidu

SWE 444: Internet & Web Application Development0.1 SWE 444 Internet and Web Application Development Dr. Abdallah Al-Sukairi and Dr. Sahalu Junaidu
Social Network Priyanka Agrawal. Introduction Social Network is a social structure made of nodes that are tied by one or more specific types of relations.

Social Network Priyanka Agrawal. Introduction Social Network is a social structure made of nodes that are tied by one or more specific types of relations.
Chapter 8 DESIGNING WEBSITES - From Page to Stage Day 13.

Chapter 8 DESIGNING WEBSITES - From Page to Stage Day 13.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Elision Based Text Zooming Project Update Sam Davis.

Elision Based Text Zooming Project Update Sam Davis.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
WebQuilt and Mobile Devices: A Web Usability Testing and Analysis Tool for the Mobile Internet Tara Matthews Seattle University April 5, 2001 Faculty Mentor:

WebQuilt and Mobile Devices: A Web Usability Testing and Analysis Tool for the Mobile Internet Tara Matthews Seattle University April 5, 2001 Faculty Mentor:
1 Using jQuery JavaScript & jQuery the missing manual (Second Edition)

1 Using jQuery JavaScript & jQuery the missing manual (Second Edition)
Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)

Phu H. Phung Chalmers University of Technology JSTools’ 12 June 13, 2012, Beijing, China Joint work with Lieven Desmet (KU Leuven)
© 2011 LogiGear Corporation. All Rights Reserved Capturing Interface Presenter: Thuy Tran.

© 2011 LogiGear Corporation. All Rights Reserved Capturing Interface Presenter: Thuy Tran.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Contents:  1 – Introduction to the subject of web mining and techniques  2 – Overview of research conducted (both theory and practical)  3 – Software.

Contents:  1 – Introduction to the subject of web mining and techniques  2 – Overview of research conducted (both theory and practical)  3 – Software.

Similar presentations

Ads by Google