The web has become a vector for attacks, and many of these attacks cannot be easily detected in real time. Because of this, we often find ourselves in the situation of analyzing past attacks retroactively. Therefore, performing refined forensic analysis on browser-based web attacks, such as drive-by download attacks, social engineering attacks, phishing attacks, and clickjacking attacks, is a consequential, challenging and time-consuming task. Previous approaches, based on sparse system logs and browser caches, can hardly reconstruct a precise view of an attack due to the lack of sufficient information.To solve this problem, an in-browser recording and replay system is needed. This system has to be always-on, be lightweight and have the ability to be integrated into different popular browsers and platforms including mobile devices.Since most web attacks are JavaScript-driven, we first propose to build up an novel system for in-browser recording and replay of JavaScript programs. We achieve our goal in two steps: a recording-only system (JSgraph) and a recording and replay system (JSCapsule).We propose JSgraph, a novel system for the in-browser recording and reconstruction of JavaScript programs. Our system considers the JavaScript engine as a black box with a thin instrumentation layer around it. At the time of recording, such instrumentation layer records inputs and behaviors to/from the JavaScript engine in order to enable a detailed, post-mortem reconstruction of ephemeral JS-based web attacks experienced by real network users.JSgraph is carefully designed to be lightweight and efficient, with a median overhead on popular website page loads between 3.2% and 3.9%. We also design the system to be portable, which means it can be integrated into different popular browser and platforms with minimal or no changes.A more generic framework upon Chromes DevTools is further designed to address the problems in JSgraph, which also provides the foundation to build an in-browser deterministic recording and replay system in the future.While JSgraph can reconstruct the JavaScript behaviors, it can not reconstruct any web attacks which does not leverage the visual lure to the user and the changes to the DOM. To address this problem, we propose JSCapsule, a novel system for the in-browser recording and replay of JavaScript programs, which provide us the ability to get step-by-step information of what happened in the JavaScript in order to have more precise understanding of attack codes for the deployment of counter defense. More future work on generating instrumentations for recording automatically is needed, in order to build a fully-deterministic recording and replay system for JavaScript execution to assist the analysis of web-borne attacks.