Dewi Laksmiati

DOI: https://doi.org/10.47709/cnahpc.v5i1.1991

2023-01-19

Abstract:The digital world has seen a significant increase in security threats in recent years, with hacker attacks on websites being a major concern in cybersecurity. One platform that is particularly vulnerable is WordPress, which is widely used and therefore a popular target for hackers. About 95.62% hacked website in 2021 is WordPress based site. Therefore, to improve website security we conducted a vulnerability assessment on a WordPress based website, in order to identify vulnerabilities that may be exploited by hackers. To do the vulnerability assessment, we used the network-based scanner based to detect vulnerabilities on the WordPress website. Our results showed that the website had several vulnerabilities that needed to be addressed and fixed immediately. The conclusion of our research highlights the importance of conducting regular vulnerability assessments on WordPress-based websites to reduce the risk of vulnerabilities being exploited. By taking proactive measures to identify and fix vulnerabilities, website owners can better protect their sites from potential hacker attacks. It is crucial for website owners to be aware of the risks posed by security threats in the digital world and to take steps to mitigate these risks to protect their businesses and their customers.

Md. Maruf Hassan,Kaushik Sarker,Saikat Biswas,Md. Hasan Sharif

DOI: https://doi.org/10.5121/ijci.2017.6501

2017-11-07

Abstract:The popularity of content management software (CMS) is growing vastly to the web developers and the business people because of its capacity for easy accessibility, manageability and usability of the distributed website contents. As per the statistics of Built with, 32% of the web applications are developed with WordPress(WP) among all other CMSs [1]. It is obvious that quite a good number of web applications were built with WP in version 4.7.0 and 4.7.1. A recent research reveals that content injection vulnerability was found available in the above two versions of WP [2]. Unauthorized content injection by an intruder in a CMS managed application is one of the serious problems for the business as well as for the web <a class="link-external link-http" href="http://owner.Therefore" rel="external noopener nofollow">this http URL</a>, detection of the vulnerability becomes a critical issue for this time. In this paper, we have discussed about the root cause of WP content injection of the above versions and have also proposed a detection model for the given vulnerability. A tool, SAISAN has been implemented as per our anticipated model and conducted an examination on 176 WP developed web applications using SAISAN. We achieved the accuracy of 92% of the result of SAISAN as compared to manual black box testing outcome.

Cryptography and Security

Zijing Yin,Yiwen Xu,Fuchen Ma,Haohao Gao,Lei Qiao,Yu Jiang

DOI: https://doi.org/10.1145/3517036

IF: 3.685

2023-01-31

ACM Transactions on Software Engineering and Methodology

Abstract:Scanners are commonly applied for detecting vulnerabilities in web applications. Various scanners with different strategies are widely in use, but their performance is challenged by the increasing diversity of target applications that have more complex attack surfaces (i.e., website paths) and covert vulnerabilities that can only be exploited by more sophisticated attack vectors (i.e., payloads). In this paper, we propose Scanner++, a framework that improves web vulnerability detection of existing scanners through combining their capabilities with attack intent synchronization. We design Scanner++ as a proxy-based architecture while using a package-based intent synchronization approach. Scanner++ first uses a purification mechanism to aggregate and refine attack intents, consisting of attack surfaces and attack vectors extracted from the base scanners’ request packets. Then, Scanner++ uses a runtime intent synchronization mechanism to select relevant attack intents according to the scanners’ detection spots to guide their scanning process. Consequently, base scanners can expand their attack surfaces, generate more diverse attack vectors and achieve better vulnerability detection performance. For evaluation, we implemented and integrated Scanner++ together with four widely used scanners, BurpSuite, AWVS, Arachni, and ZAP, testing it on ten benchmark web applications and three well-tested real-world web applications of a critical financial platform from our industry partner. Working under the Scanner++ framework helps BurpSuite, AWVS, Arachni, and ZAP cover 15.26%, 37.14%, 59.21%, 68.54% more pages, construct 12.95×, 1.13×, 15.03×, 52.66× more attack packets, and discover 77, 55, 77, 176 more bugs, respectively. Furthermore, Scanner++ detected eight serious previously unknown vulnerabilities on real-world applications, while the base scanners only found three of them.

computer science, software engineering

Giancarlo Pellegrino,Martin Johns,Simon Koch,Michael Backes,Christian Rossow

DOI: https://doi.org/10.48550/arXiv.1708.08786

2017-08-29

Abstract:Cross-Site Request Forgery (CSRF) vulnerabilities are a severe class of web vulnerabilities that have received only marginal attention from the research and security testing communities. While much effort has been spent on countermeasures and detection of XSS and SQLi, to date, the detection of CSRF vulnerabilities is still performed predominantly manually. In this paper, we present Deemon, to the best of our knowledge the first automated security testing framework to discover CSRF vulnerabilities. Our approach is based on a new modeling paradigm which captures multiple aspects of web applications, including execution traces, data flows, and architecture tiers in a unified, comprehensive property graph. We present the paradigm and show how a concrete model can be built automatically using dynamic traces. Then, using graph traversals, we mine for potentially vulnerable operations. Using the information captured in the model, our approach then automatically creates and conducts security tests, to practically validate the found CSRF issues. We evaluate the effectiveness of Deemon with 10 popular open source web applications. Our experiments uncovered 14 previously unknown CSRF vulnerabilities that can be exploited, for instance, to take over user accounts or entire websites.

Cryptography and Security

Enrico Bazzoli,Claudio Criscione,Federico Maggi,Stefano Zanero

DOI: https://doi.org/10.48550/arXiv.1410.4207

2014-10-16

Abstract:Since the first publication of the "OWASP Top 10" (2004), cross-site scripting (XSS) vulnerabilities have always been among the top 5 web application security bugs. Black-box vulnerability scanners are widely used in the industry to reproduce (XSS) attacks automatically. In spite of the technical sophistication and advancement, previous work showed that black-box scanners miss a non-negligible portion of vulnerabilities, and report non-existing, non-exploitable or uninteresting vulnerabilities. Unfortunately, these results hold true even for XSS vulnerabilities, which are relatively simple to trigger if compared, for instance, to logic flaws. Black-box scanners have not been studied in depth on this vertical: knowing precisely how scanners try to detect XSS can provide useful insights to understand their limitations, to design better detection methods. In this paper, we present and discuss the results of a detailed and systematic study on 6 black-box web scanners (both proprietary and open source) that we conducted in coordination with the respective vendors. To this end, we developed an automated tool to (1) extract the payloads used by each scanner, (2) distill the "templates" that have originated each payload, (3) evaluate them according to quality indicators, and (4) perform a cross-scanner analysis. Unlike previous work, our testbed application, which contains a large set of XSS vulnerabilities, including DOM XSS, was gradually retrofitted to accomodate for the payloads that triggered no vulnerabilities. Our analysis reveals a highly fragmented scenario. Scanners exhibit a wide variety of distinct payloads, a non-uniform approach to fuzzing and mutating the payloads, and a very diverse detection effectiveness.

Cryptography and Security

Amit Kleinmann,Ori Amichay,Avishai Wool,David Tenenbaum,Ofer Bar,Leonid Lev

DOI: https://doi.org/10.48550/arXiv.1706.09303

2017-06-28

Abstract:SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta--data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator's actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS's state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system--wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed, which may be of independent interest. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage.

Cryptography and Security

Muhammad Usman Rana,Munam Ali Shah,Mohammad Abdulaziz Al-Naeem,Carsten Maple

DOI: https://doi.org/10.1109/access.2024.3477631

IF: 3.9

2024-10-19

IEEE Access

Abstract:Ransomware has appeared to be the most damaging and devastating type of malware attack in any cyber physical system. The resilience of a web browser to deal with the malware attack is of significance importance, however, evaluating the performance of a browser to tackle these attacks is a challenging task. Due to various automation techniques, web applications can be tested without human intervention. Technologies such as Junit, Chakram, and Selenium are useful in automated testing but the problem is that the attacker uses harmful code and automated web approaches to distribute their malware. In this research,our contribution is twofold. Firstly, we examine a new attack vector that cyber adversaries can possibly use in the future to infect an operating system with a malware. Currently, attackers use various techniques to gain access to victims' personal computers. Secondly, we present a novel automated web defence to countermeasure these malware attacks. The proposed research aims to provide a better understanding of the new computer virus-spreading techniques that intruders can use in the future. We provide the insight of these attacks and present ways to countermeasure the attacks and to reduce the attack surface. Experiments and flow diagrams have been used to demonstrate the attack and defence approach. To offer malware lateral movement and to encrypt the date of users' device, we use Selenium automation tool on a social media platform. For our experimentation, we developed an application which has been tested on a variety of browsers including Google Chrome, Firefox, and Safari. Our research has revealed that we have an 85 percent success rate when testing in a head-on environment. We have expanded our experiments on headless applications and interestingly, the accuracy rate improved and the probability of success increased to 95 percent. Lastly, we have demonstrated a unique method for detecting and stopping web automation that is generally applicable.

computer science, information systems,telecommunications,engineering, electrical & electronic

Lukas Baumann,Elias Heftrig,Haya Shulman,Michael Waidner

DOI: https://doi.org/10.48550/arXiv.2107.06415

2021-07-13

Cryptography and Security

Abstract:We explore a new type of malicious script attacks: the persistent parasite attack. Persistent parasites are stealthy scripts, which persist for a long time in the browser's cache. We show to infect the caches of victims with parasite scripts via TCP injection. Once the cache is infected, we implement methodologies for propagation of the parasites to other popular domains on the victim client as well as to other caches on the network. We show how to design the parasites so that they stay long time in the victim's cache not restricted to the duration of the user's visit to the web site. We develop covert channels for communication between the attacker and the parasites, which allows the attacker to control which scripts are executed and when, and to exfiltrate private information to the attacker, such as cookies and passwords. We then demonstrate how to leverage the parasites to perform sophisticated attacks, and evaluate the attacks against a range of applications and security mechanisms on popular browsers. Finally we provide recommendations for countermeasures.

Eli Belkind,Ran Dubin,Amit Dvir

2023-07-26

Abstract:With the advance in malware technology, attackers create new ways to hide their malicious code from antivirus services. One way to obfuscate an attack is to use common files as cover to hide the malicious scripts, so the malware will look like a legitimate file. Although cutting-edge Artificial Intelligence and content signature exist, evasive malware successfully bypasses next-generation malware detection using advanced methods like steganography. Some of the files commonly used to hide malware are image files (e.g., JPEG). In addition, some malware use steganography to hide malicious scripts or sensitive data in images. Steganography in images is difficult to detect even with specialized tools. Image-based attacks try to attack the user's device using malicious payloads or utilize image steganography to hide sensitive data inside legitimate images and leak it outside the user's device. Therefore in this paper, we present a novel Image Content Disarm and Reconstruction (ICDR). Our ICDR system removes potential malware, with a zero trust approach, while maintaining high image quality and file usability. By extracting the image data, removing it from the rest of the file, and manipulating the image pixels, it is possible to disable or remove the hidden malware inside the file.

Cryptography and Security,Artificial Intelligence

Indushree M,Manjit Kaur,Manish Raj,Shashidhara R,Heung-No Lee

DOI: https://doi.org/10.3390/s22051959

2022-03-02

Abstract:Cross channel scripting (XCS) is a common web application vulnerability, which is a variant of a cross-site scripting (XSS) attack. An XCS attack vector can be injected through network protocol and smart devices that have web interfaces such as routers, photo frames, and cameras. In this attack scenario, the network devices allow the web administrator to carry out various functions related to accessing the web content from the server. After the injection of malicious code into web interfaces, XCS attack vectors can be exploited in the client browser. In addition, scripted content can be injected into the networked devices through various protocols, such as network file system, file transfer protocol (FTP), and simple mail transfer protocol. In this paper, various computational techniques deployed at the client and server sides for XCS detection and mitigation are analyzed. Various web application scanners have been discussed along with specific features. Various computational tools and approaches with their respective characteristics are also discussed. Finally, shortcomings and future directions related to the existing computational techniques for XCS are presented.

Mario Kahlhofer,Stefan Rass

2024-05-21

Abstract:Cyber deception techniques that are tightly intertwined with applications pose significant technical challenges in production systems. Security measures are usually the responsibility of a system operator, but they are typically limited to accessing built software artifacts, not their source code. This limitation makes it particularly challenging to deploy cyber deception techniques at application runtime and without full control over the software development lifecycle. This work reviews 19 technical methods to accomplish this and evaluates them based on technical, topological, operational, and efficacy properties. We find some novel techniques beyond honeypots and reverse proxies that seem to have received little research interest despite their promise for cyber deception. We believe that overcoming these technical challenges can drive the adoption of more dynamic and personalized cyber deception techniques, tailored to specific classes of applications.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Networking and Internet Architecture,Software Engineering

Mohammad Borhani,Gurjot Singh Gaba,Juan Basaez,Ioannis Avgouleas,Andrei Gurtov

DOI: https://doi.org/10.1016/j.jii.2024.100623

IF: 11.718

2024-05-06

Journal of Industrial Information Integration

Abstract:Industrial device scanners allow anyone to scan devices on private networks and the Internet. They were intended as network security tools, but they are commonly exploited as attack tools, as scanning can reveal vulnerable devices. However, from a defensive perspective, this vulnerability disclosure could be used to secure devices if characteristics such as type, model, manufacturer, and firmware could be identified. Automated scanning reports can help to apply security measures before an attacker finds a vulnerability. A complete device recognition procedure can then be seen as the basis for auditing networks and identifying vulnerabilities to mitigate cyber-attacks, especially among Industrial Internet of Things (IIoT) devices that are part of critical systems. In this survey, considering SCADA (Supervisory Control and Data Acquisition) systems as monitoring and control components of essential infrastructure, we focus on analyzing the architectures, specifications, and constraints of several industrial device scanners. In addition, we examine the information revealed by the scanners to identify the threats posed by them on industrial systems and networks. We analyze monthly and yearly statistics of cyber-attack incidents to investigate the role of these scanners in accelerating attacks. By presenting the findings of an experimentation, we highlight how easily anyone could identify hundreds of Internet-connected industrial devices in Sweden, which could lead to a major service interruption in industrial environments designed for minimal human involvement. We also discuss several methods to avoid scanners or reduce their identifying capabilities to conceal industrial devices from unauthorized access.

computer science, interdisciplinary applications,engineering, industrial

Jacob Quibell

2024-05-19

Abstract:Cybercrime is estimated to cost the global economy almost \$10 trillion annually and with businesses and governments reporting an ever-increasing number of successful cyber-attacks there is a growing demand to rethink the strategy towards cyber security. The traditional, perimeter security approach to cyber defence has so far proved inadequate to combat the growing threat of cybercrime. Cyber deception offers a promising alternative by creating a dynamic defence environment. Deceptive techniques aim to mislead attackers, diverting them from critical assets whilst simultaneously gathering cyber threat intelligence on the threat actor. This article presents a proof-of-concept (POC) cyber deception system that has been developed to capture the profile of an attacker in-situ, during a simulated cyber-attack in real time. By dynamically and autonomously generating deception material based on the observed attacker behaviour and analysing how the attacker interacts with the deception material, the system outputs a prediction on the attacker's motive. The article also explores how this POC can be expanded to infer other features of the attacker's profile such as psychological characteristics. By dynamically and autonomously generating deception material based on observed attacker behaviour and analysing how the attacker interacts with the deception material, the system outputs a prediciton on the attacker's motive. The article also explores how this POC can be expanded to infer other features of the attacker's profile such as psychological characteristics.

Cryptography and Security

Frederico Araujo,Gbadebo Ayoade,Khaled Al-Naami,Yang Gao,Kevin W. Hamlen,Latifur Khan

DOI: https://doi.org/10.1016/j.jisa.2021.102880

IF: 4.96

2021-09-01

Journal of Information Security and Applications

Abstract:<p>Most conventional cyber defenses strive to reject detected attacks as quickly and decisively as possible; however, this instinctive approach has the disadvantage of depriving intrusion detection systems (IDSes) of learning experiences and threat data that might otherwise be gleaned from deeper interactions with adversaries. For IDS technology to improve, a next-generation cyber defense is proposed in which cyber attacks are unconventionally reimagined as free sources of live IDS training data. Rather than aborting attacks against legitimate services, adversarial interactions are selectively prolonged to maximize the defender's harvest of useful threat intelligence. Enhancing web services with deceptive attack-responses in this way is shown to be a powerful and practical strategy for improved detection, addressing several perennial challenges for machine learning-based IDS in the literature, including scarcity of training data, the high labeling burden for (semi-)supervised learning, encryption opacity, and concept differences between honeypot attacks and those against genuine services. By reconceptualizing software security patches as feature extraction engines, the approach conscripts attackers as free penetration testers, and coordinates multiple levels of the software stack to achieve fast, automatic, and accurate labeling of live web streams.</p><p>Prototype implementations are showcased for two feature set models to extract security-relevant network- and system-level features from cloud services hosting enterprise-grade web applications. The evaluation demonstrates that the extracted data can be fed back into a network-level IDS for exceptionally accurate, yet lightweight attack detection.</p>

computer science, information systems

Kanika Sharma,Naresh Kumar

DOI: https://doi.org/10.1109/iccccm.2013.6648920

2013-08-01

Abstract:Web applications are increasingly used to provide e-services such as online banking, online shopping, and social networking over the internet. With this advancement, the attacks over the web applications have also increased. According to Cenzic 2013 report 99% of web applications are vulnerable tested in 2012 [1]. The root causes behind these vulnerabilities are lack of security awareness, design flaws &amp; implementation bugs. Writing secure code for web application is a complex task as developer emphasis more on implementation of business logic for web application rather than implementing it with secure logic. These vulnerabilities might be exploited by malicious users which can harm the database &amp; reputation of an organization. In this paper we have proposed an Application Intrusion Detection System tool which can detect &amp; prevent web application attacks at the time of occurrence. We have implemented proposed approach with ASP.NET web application and also perform Chi Square test to validate our assumptions. Once completed SWART has future potential to detect and prevent maximum attacks with less complexity.

Li Xu,Zhenxin Zhan,Shouhuai Xu,Keyin Ye

DOI: https://doi.org/10.48550/arXiv.1408.1993

2014-08-09

Abstract:Malicious websites are a major cyber attack vector, and effective detection of them is an important cyber defense task. The main defense paradigm in this regard is that the defender uses some kind of machine learning algorithms to train a detection model, which is then used to classify websites in question. Unlike other settings, the following issue is inherent to the problem of malicious websites detection: the attacker essentially has access to the same data that the defender uses to train its detection models. This 'symmetry' can be exploited by the attacker, at least in principle, to evade the defender's detection models. In this paper, we present a framework for characterizing the evasion and counter-evasion interactions between the attacker and the defender, where the attacker attempts to evade the defender's detection models by taking advantage of this symmetry. Within this framework, we show that an adaptive attacker can make malicious websites evade powerful detection models, but proactive training can be an effective counter-evasion defense mechanism. The framework is geared toward the popular detection model of decision tree, but can be adapted to accommodate other classifiers.

Cryptography and Security,Artificial Intelligence

Phakpoom Chinprutthiwong,Raj Vardhan,Guangliang Yang,Guofei Gu

DOI: https://doi.org/10.1145/3427228.3427290

2020-01-01

Abstract:Nowadays, modern websites are utilizing service workers to provide users with app-like functionalities such as offline mode and push notifications. To handle such features, the service worker is equipped with special privileges including HTTP traffic manipulation. Thus, it is designed with security as a priority. However, we find that many websites introduce a questionable practice that can jeopardize the security of a service worker. In this work, we demonstrate how this practice can result in a cross-site scripting (XSS) attack inside a service worker, allowing an attacker to obtain and leverage service worker privileges. Due to the uniqueness of these privileges, such attacks can lead to more severe consequences compared to a typical XSS attack. We term this type of vulnerability as Service Worker based Cross-Site Scripting (SW-XSS). To assess the real-world security impact, we develop a tool called SW-Scanner and use it to analyze top websites in the wild. Our findings reveal a worrisome trend. In total, we find 40 websites vulnerable to this attack including several popular and high ranking websites. Finally, we discuss potential defense solutions to mitigate the SW-XSS vulnerability.

Stefan Marksteiner,Harald Lernbeiß,Bernhard Jandl-Scherf

DOI: https://doi.org/10.1145/2994475.2994479

2017-10-03

Abstract:As today's organizational computer networks are ever evolving and becoming more and more complex, finding potential vulnerabilities and conducting security audits has become a crucial element in securing these networks. The first step in auditing a network is reconnaissance by mapping it to get a comprehensive overview over its structure. The growing complexity, however, makes this task increasingly effortful, even more as mapping (instead of plain scanning), presently, still involves a lot of manual work. Therefore, the concept proposed in this paper automates the scanning and mapping of unknown and non-cooperative computer networks in order to find security weaknesses or verify access controls. It further helps to conduct audits by allowing comparing documented with actual networks and finding unauthorized network devices, as well as evaluating access control methods by conducting delta scans. It uses a novel approach of augmenting data from iteratively chained existing scanning tools with context, using genuine analytics modules to allow assessing a network's topology instead of just generating a list of scanned devices. It further contains a visualization model that provides a clear, lucid topology map and a special graph for comparative analysis. The goal is to provide maximum insight with a minimum of a priori knowledge.

Cryptography and Security

Yogendra Sao,Sk. Subidh Ali,Bodhisatwa Mazumdar

DOI: https://doi.org/10.1109/tcad.2024.3368289

IF: 2.9

2024-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Scan-based Design-for-testability (DfT) is the de facto standard in the semiconductor testing industry to guarantee the functional and structural correctness of chips. It provides improved observability and controllability, leading to enhanced fault coverage. However, owing to widespread usage, attackers devise techniques to misuse this method to steal secret keys embedded in a security-critical chip. A vast majority of off-the-shelf defense mechanisms are based on either randomizing the scan output or restricting access to the scan. However, none of these defense mechanisms leverage the fundamental properties of the scan attack; thus, they tend to be complex and incur high area and computation overhead. In this paper, we propose a defense mechanism by preventing the vulnerabilities of fundamental properties from being exploited in scan attacks. The paper first pinpoints the ultimate condition of the scan attack on Advanced Encryption Standard (AES). This attack condition is inherent to the cryptographic property of the cipher, which, when violated, thwarts the attack. To implement our defense, we interchange the AES round outputs by applying pre-computed masks. The designer chooses inputs with a fixed difference to swap the outputs. A modified incorrect key is recovered instead of an actual key if a scan-based attack is launched. To show the generality of the proposed defense, it is extended to another AES-like cipher, Light Encryption Device (LED). To the best of our knowledge, this is the first defense against a scan attack wherein the complete testing process, including structural and functional tests, can be outsourced to untrusted third parties without compromising the actual key. In comparison, logic locking techniques limaye2020thwarting can outsource only structural testing to untrusted third parties.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Federico Cerutti,Daniele Barattieri di San Pietro,Francesco Gringoli,Gianfranco Lamperti

DOI: https://doi.org/10.1016/j.procs.2022.09.142

2022-01-01

Procedia Computer Science

Abstract:The majority of websites incorporate JavaScript for client-side execution in a supposedly protected environment. Unfortunately, JavaScript has also proven to be a critical attack vector for both independent and state-sponsored groups of hackers. On the one hand, defenders need to analyze scripts to ensure that no threat is delivered and to respond to potential security incidents. On the other, attackers aim to obfuscate the source code in order to disorient the defenders or even to make code analysis practically impossible. Since code obfuscation may also be adopted by companies for legitimate intellectual-property protection, a dilemma remains on whether a script is harmless or malignant, if not criminal. To help analysts deal with such a dilemma, a methodology is proposed, called JACOB, which is based on five steps, namely: (1) source code parsing, (2) control flow graph recovery, (3) region identification, (4) code structuring, and (5) partial evaluation. These steps implement a sort of decompilation for control flow fattened code, which is progressively transformed into something that is close to the original JavaScript source, thereby making eventual code analysis possible. Most relevantly, JACOB has been successfully applied to uncover unwanted user tracking and fingerprinting in e-commerce websites operated by a well-known Chinese company.