Javascript Analysis Tool

[.Ocean]

Hi guys,

 

I am trying to find a tool or browser add on that will show me all of the javascript that is run when I load a web page (obfuscated or not) and then tell me exactly what it is doing. Specifically I am trying to find a tool that will assist me in identifying javascript snippets that are creating tracking pixels (1x1 images) and also be able to identify where these javascript snippets are being downloaded from or where the images they create are being downloaded from.

Any info you guys might be able to provide is greatly appreciated, thank you in advance!

[riklaunim]

That's more of a job for privacy checking tools - and they cover not only image pixels but many "shady" way of tagging a browser.

[.Ocean]

12 hours ago, riklaunim said:

That's more of a job for privacy checking tools - and they cover not only image pixels but many "shady" way of tagging a browser.

So would you be able to provide me the name of any of these tools? I don't need them to protect privacy but more to analyze what exactly is going on. Specifically to understand what each piece of JavaScript is doing on a webpage so I can identify which snippets of JavaScript are spawning tracking pixels.

[WiiManic]

Quote

Specifically to understand what each piece of JavaScript is doing on a webpage

 

I mean, I think what you are asking for is basically impossible. You aren't going to find something that describes what every bit of code is doing, since that is a impossibly large task to do. You'd essentially need to write a program that can understand and explain any program at all...which is as hard as it sounds.

 

Both Firefox + Chrome have the dev tools when you press "F12". Then if you go on the network tab, and select "JS" you'll see all the JS that is being downloaded. You can click them, and see the code. But you'd need to check them over regardless. But it will at least let you see what files are being loaded etc.

 

If you are worried about being tracked, you'd be best suited using the common browser extensions. There is a list of the common ones over on https://www.privacytools.io/#browser.

 

If you are looking more out of interest, just look into them online, I expect there is multiple explanations of how and why they work, and how to avoid it.

[.Ocean]

6 minutes ago, WiiManic said:

 

I mean, I think what you are asking for is basically impossible. You aren't going to find something that describes what every bit of code is doing, since that is a impossibly large task to do. You'd essentially need to write a program that can understand and explain any program at all...which is as hard as it sounds.

 

Both Firefox + Chrome have the dev tools when you press "F12". Then if you go on the network tab, and select "JS" you'll see all the JS that is being downloaded. You can click them, and see the code. But you'd need to check them over regardless. But it will at least let you see what files are being loaded etc.

 

If you are worried about being tracked, you'd be best suited using the common browser extensions. There is a list of the common ones over on https://www.privacytools.io/#browser.

 

If you are looking more out of interest, just look into them online, I expect there is multiple explanations of how and why they work, and how to avoid it.

I'm not looking for a tool that will explain in plain English what code is doing that's absolutely absurd. I am looking more for a tool that will tell me if JavaScript is making GET requests or loading images into the HTML (that is an oddly specific job though so I would figure that a tool would keep a ledger of what function calls or GET requests or whatever which JavaScript snippet is doing). Manually looking over the JavaScript in a page is a pretty big nono as I have multiple web pages with large amounts of JavaScript to audit, not to mention the majority of JavaScript that I am interested in is going to be obfuscated and not really human readable.

 

If I was interested in privacy or preventing tracking myself I would just download the appropriate browser add-ons. I already have a strong understanding of how various tracking tools work. This work is being done as research within an academic institution. If you know of any tool that could help me out, or any helpful direction I could look in it would be greatly appreciated.

[riklaunim]

4 hours ago, .Ocean said:

So would you be able to provide me the name of any of these tools? I don't need them to protect privacy but more to analyze what exactly is going on. Specifically to understand what each piece of JavaScript is doing on a webpage so I can identify which snippets of JavaScript are spawning tracking pixels.

I don't have any at hand, just seen few working - detecting various types of cookies,  tagging by DNS caches and way more. If you are only for plain pixels then just look at the network calls the page makes in the browser when you open it - domains called and so on. uBlock can also block a lot of them so you can look at what it blocked too

[.Ocean]

38 minutes ago, riklaunim said:

I don't have any at hand, just seen few working - detecting various types of cookies,  tagging by DNS caches and way more. If you are only for plain pixels then just look at the network calls the page makes in the browser when you open it - domains called and so on. uBlock can also block a lot of them so you can look at what it blocked too

Will the browsers network tab be able to tell me which JavaScript function initiated that call though?

[riklaunim]

Nope - and it also can be whatever inlined obfuscated code. Don't really know why you want to see that code as it can change at any given time yet still do the same thing of making an XHR request to other site or if JS can't be executed - link an image instead in a plain tag. Blocking apps usually blacklist the destination services and do not interfere with JS on the site.

[.Ocean]

23 minutes ago, riklaunim said:

Nope - and it also can be whatever inlined obfuscated code. Don't really know why you want to see that code as it can change at any given time yet still do the same thing of making an XHR request to other site or if JS can't be executed - link an image instead in a plain tag. Blocking apps usually blacklist the destination services and do not interfere with JS on the site.

I want to see that code because the whole purpose of the research is to identify the relationship between those JS snippets and the tracking pixels present on a webpage. It might change tomorrow but the data I gather that day will still be valuable for the research.

[riklaunim]

Then just get a pixel from Facebook, Google remarketing code and other systems for yourself. It's easy. Add Google Analytics and other popular services and you should have enough.

[.Ocean]

10 hours ago, riklaunim said:

Then just get a pixel from Facebook, Google remarketing code and other systems for yourself. It's easy. Add Google Analytics and other popular services and you should have enough.

I don't quite understand what you are saying here. My aim is to analyze the relationship between tracking pixels and JS tracking snippets on OTHER websites. I'm not trying to set up my own. The aim is to study how other websites are implementing them and the relationship between the two.

[riklaunim]

First you should know how they work and what features Google or Facebook tools provide. Then look for case studies because code itself is kind of bad source of business logic. Like you may see pixels on an online shop but special actions will show up when you for example check-out your purchase. There isn't anything complex about copy pasting a pixel code, there is no implementation to that part, the value is in the business logic. It can be simple with no additional actions - so just simple copy-paste of the code to do remarketing ads or quite complex analytic tool for sales funnels and more were you will see multiple actions sent under given conditions.

[.Ocean]

I still don't think you understand, I have done the academic research required to understand how these work, their purpose in the internet economy and so on. I am not interested in JUST Google or Facebook, there are several other very large analytics companies implementing tracking software on webpages. I already understand how they work. I want to now explore the relation ship between the JS tracking code that is present on a webpage as well as the tracking pixels present or that are spawned because of the JS. Doing this by hand is extremely tedious and some times impossible which is why I am hopeful there is a tool that keeps track of what JS does when it executes on a web page. I am not interested in implementing my own, going through that exercise would frankly be a waste of my time. I could care less for the business logic of the trackers. I want to understand how the trackers are acting when a webpage is loaded.

[riklaunim]

2 hours ago, .Ocean said:

I want to understand how the trackers are acting when a webpage is loaded.

Acting? It's mostly server side logic of the tracker provider. You get a cookie or a GET request to a fake image and the tracker provider saves date associated with your device unique identifier - wherever it's cookie value, mac address, IP, system fonts, user agent and what not. Hard to see what you want to achieve.