Dredging the River Styx Fortifying the Web through Robust and Real-Time Script Attribution

The modern web ecosystem relies heavily on the inclusion of third-party scripts as they offer useful, and often necessary, functionality. This inclusion leads to the "blending" of code from different origins, which has significant ramifications. Specifically, the inability to effectively and robustly disambiguate between first-party and embedded third-party scripts can severely undermine the security and privacy guarantees of existing defenses (e.g., blocking trackers or preventing vulnerabilities such as DOM XSS), as well as the validity of web measurement studies. To address that gap we propose StyxJS, a system that is able to provide real-time attribution of third-party scripts while preventing evasive tactics that can be employed by malicious scripts. This is achieved through an automated pipeline consisting of stack walking, script rewriting, browser API overriding, and tamper-proofing mechanisms. Crucially, our system does not require any developer input or prior knowledge about the website and can, thus, be readily incorporated into any countermeasure or web measurement apparatus that requires robust script attribution. We conduct an extensive experimental evaluation of our system and demonstrate that it accurately captures more script inclusion techniques compared to prior work, while incurring a negligible performance overhead, and effectively maintains page-deployed security mechanisms (e.g., CSP). We also detail the straightforward process and benefits of retrofitting a varied set of existing defenses on top of StyxJS, as well as leveraging it to analyze the web ecosystem. We will release our system as an open source project, to allow security researchers and practitioners to benefit from StyxJS’ capabilities.