To mitigate this well-known problem and provide greater control over what is being executed within the application context, the project aims to build a knowledge base containing the behavioral models of scripts and vendors on the web.
About the Project
Web applications consist of various scripts, namely the original scripts from the application (1st party) and scripts from service providers (3rd party), which are external resources that the application depends on to perform specific tasks.
These resources are executed within the application context with the same privileges as the application’s original scripts. However, they are not directly maintained or controlled by the application developers, meaning attackers could exploit them to carry out malicious actions, such as collecting sensitive data.
This enables the creation of rulesets that determine the actions a specific vendor or script can perform in a web application - known as Script Fencing.
Inherent to this goal, three other objectives of the project can be highlighted:
Database Query Module
Implementing a module that enables querying the database using recognized scripts as input.
AI-Powered Script Classification
Utilizing Artificial Intelligence models to accurately identify and classify scripts.
Automatic Script Fencing Rules
Generating Script Fencing rules automatically.
Behaviors are defined as actions that occur on web pages, such as sending a network request, setting a cookie, and creating a form, among many others. The sequence in which these actions happen is also part of the behavioral model that is generated and stored. By recording these details, the behavioral model provides a comprehensive representation of the script's normal behavior, which can be used to detect deviations from expected patterns and identify potentially malicious activities.
Having an extensive collection of behavioral models enables matching the scripts’ behavioral models present in web applications with their corresponding models in the knowledge base, allowing the determination of which actions each script can perform within its context.
Enforce Licensing and Regulatory Compliance
The ORACLE solution aims to address the problem of automatically generating rules that can proactively block any behavior that does not fit the expected behavioral model of a vendor or script.
Although the project focuses on this specific use case, it has unlimited growth potential, as it offers an updated database for various service providers that increases visibility over them and assists in decision-making.
The Oracle Project Partners
Jscrambler
Jscrambler, a global leader in Client-Side Protection and Compliance, serves as the principal co-promoter of this project, contributing its extensive expertise in securing client-side applications and monitoring behaviors in web environments. The project aims to improve the security of client-side applications by developing a prototype that monitors and classifies behaviors in web applications, identifying risks and potential threats using Artificial Intelligence.
In this context, Jscrambler will leverage its experience in analyzing and protecting web applications to support mapping interactions between resources and behaviors. This expertise will be key to enabling a detailed risk assessment and advancing the development of innovative solutions for detecting and mitigating security threats. Jscrambler’s contribution focuses on its deep understanding of JavaScript behaviors, runtime analysis, and risk classification, aligning with the project’s goal of providing actionable insights into client-side security.
By combining practical security applications with the project’s research objectives, Jscrambler will help deliver impactful results that strengthen the protection of client-side applications and advance both technical and academic outcomes. This includes supporting and disseminating results through academic theses, publications, and educational materials, reinforcing the project’s contribution to advancing security standards in web environments.
CCG/ZGDV Institute
With more than 30 years of experience as an interface between the research ecosystem and the business world, the CCG/ZGDV Institute is today one of the most renowned technology and innovation centers in Information and Communication Technologies (ICT). It focuses on applied research and technological innovation for the digital economy, designing and prototyping new processes, services, and high-value products in computer graphics, ubiquitous computing, human-machine interaction, and information engineering. The CCG/ZGDV's mission is to boost the growth and innovation of companies, organizations, and the economy in general, responding to global market challenges.
