SMURF Monitor Unveils Roadblocking Features

Here, you find the source code to the NDSS 2021 submission Who's Hosting the Block Party? Studying Third-Party Blockage of CSP and SRI. Furthermore, we release the manually labelled set of site connections here.

Installation

Download the zipped source code package. You can then make use of our provided Docker container by issuing the following two commands:

docker build -t smurf .
docker run --cap-add=SYS_ADMIN -it smurf:latest /bin/bash 

Local installation

If you want to install it locally you need a working Node and NPM installation depending on your system and additionally need to install our dependencies throug invoking

npm install
Note that depending on your operating system, you may have to modify config.executablePath (in arguments.js) to point to your installation of Chrome/Chromium.

Running analyses

To run the toolchain, you can simply invoke smurf.js and pass the URL you want to check.

node smurf.js --url https://realtor.com
This will visit https://realtor.com and generate a simplified inclusion tree of the main frame. It will print those chains which exhibit more than two parties according the the eTLD+1. Additionally supplying the --showCspResults as a command line parameter will provide the results of our incompatibility analysis of the observed behavior aggregated to hosts.

For an example of the aforementioned URL, see results below. It indicates that securepubads.g.doubleclick.net is parser-inserting scripts, making strict-dynamic infeasbile. It also indicates that the site itself writes inline scripts, and that securepubads.g.doubleclick.net, ajax.googleapis.com, and assets.adobedtm.com add elements to the DOM which contain inline event handlers; all of these require unsafe-inline. Finally, we see that the host itself as well as c.amazon-adsystem.com, requiring a potential CSP to contain unsafe-eval as well.
$ node smurf.js --url https://realtor.com --showCspResults
[SMURF] Starting chrome...
[SMURF] Setting up...
[SMURF] Visiting https://realtor.com
[SMURF] Please wait up to 30 seconds
[SMURF] Loaded https://www.realtor.com/
[SMURF] Inclusion analysis:
https://www.realtor.com/
===>
===> https://static.criteo.net/js/ld/publishertag.prebid.js

https://www.realtor.com/assets/prod/c3d00b9/_next/static/runtime/main-3d44de64d2d764f35183.js
===> https://www.realtor.com/rdc_user_check.js
===> https://www.realtor.com/assets/prod/c3d00b9/_next/static/chunks/64.96b7b41f05d066991906.js
===> https://ajax.googleapis.com/ajax/libs/webfont/1/webfont.js
===> https://assets.adobedtm.com/6809d1ba6f0c/c4bef609fe0d/launch-b1aeef4798eb.min.js
======> https://connect.facebook.net/en_US/fbevents.js
===> https://connect.facebook.net/en_US/sdk.js
===> https://apis.google.com/js/api:client.js
===> https://apis.google.com/js/platform.js

https://securepubads.g.doubleclick.net/tag/js/gpt.js
===> https://adservice.google.de/adsid/integrator.js?domain=www.realtor.com
===> https://securepubads.g.doubleclick.net/gpt/pubads_impl_2020072701.js
===> https://adservice.google.com/adsid/integrator.js?domain=www.realtor.com

=========================================================================================================
[SMURF] CSP analysis:
{
  strictDynamicViolator: Set(1) { 'securepubads.g.doubleclick.net' },
  inlineScriptWritingHosts: Set(1) { 'www.realtor.com' },
  inlineHandlerWritingHosts: Set(4) {
    'www.realtor.com',
    'securepubads.g.doubleclick.net',
    'ajax.googleapis.com',
    'assets.adobedtm.com'
  },
  evalUsingHosts: Set(2) { 'www.realtor.com', 'c.amazon-adsystem.com' }
}
=========================================================================================================
=========================================================================================================
[SMURF] Order (in each block)
[SMURF]  - The first URL caused the avalanche of inclusions, if it is the loaded URL it was initiated by an inline script
[SMURF]  - The last URL was the finally included script caused by all above it
[SMURF] Indentation
[SMURF]  - Indentation indicates inclusion depth
[SMURF]  - Same indentation indicates that one resource included multiple further resources
[SMURF] Colors
[SMURF]  - Same color means same party (uses eTLD+1 without extended same-party)
[SMURF]  - If more parties than colors available, grey is used for the remaining
[SMURF]  - Colors are reset between blocks
[SMURF] Trees are simplified to get useable output on the console
[SMURF]  - Only prints scripts with at least two different third parties in the subtree
=========================================================================================================