Show HN: Guardscript – Detect any changes made to your JavaScript files (opens in new tab)

(guardscript.com)

28 pointsDyaz176y ago37 comments

37 comments

Hey HN!

I created GuardScript because in my previous company we started to include more and more third-party Javascript from SaaS services on our homepage, and this created security risks for us [1] [2].

In order to reassure us, a few of these companies created independently what is essentially GuardScript: a service that monitors every few minutes any changes made to your Javascript files and sends you a notification with the changes made. You can then detect any malicious modification by analyzing these results.I decided to build it for a broader audience.

I'd love feedback and suggestions on how to make it better.

Thanks!

[1] https://www.theregister.co.uk/2018/09/12/feedify_magecart_ja [2] https://www.zdnet.com/article/hackers-breach-statcounter-to-...

ben5096y ago

What do you actually do about an alarm? Okay, I just got an email, check there's no release planned, I go through the diff and, oh crap, my customers are being pwned. Now I'm going to have to drop everything and manually disable those URLs until I can contact the maintainer of this service? I guess that's the unfortunate reality when using SaaS.

I'd want a runbook feature so that anyone getting the email has a procedure to:

* check release notes to identify a false alarm

* if not identify which source files the URL is used in

* disable those URLs

* flush caches

* confirm they're disabled

* contact the service provider

* roll back when upstream is fixed

Or something like that. Man, I do not miss ops work.

Dyaz17OP6y ago

You are right, for now all the analysis should be done by the owner of the script. I'll think about adding a runbook...

netsharc6y ago

So as a hacker, I will just need to hack statcounter to serve your IP the non-molested JS, and almost everyone else the bad JS, right?

jjeaff6y ago

If you want to mitigate that, you simply need to run this from, or proxy the request through, some other random ip address.

ben5096y ago

Under "pricing" all the "start" buttons say "sart". (Checked Chrome and FF.)

Dyaz17OP6y ago

Thank you! I have changed it.

BubRoss6y ago

Why wouldn't someone just detect changes to the files at the OS level?

godzillabrennus6y ago

Not all hosts give you control at the OS level.

jjeaff6y ago

It sounds like this is talking about 3rd party scripts included in the page. Like Google analytics and the like.

1 more reply

jhgg6y ago

>GuardScript is usefull when Subressource integrity is not feasible or not implemented, which is most of the time for SaaS services.

Can you explain what this means?

Dyaz17OP6y ago

Well many companies that offer you a service don't include the Subresource integrity Tag.

Check for instance Stripe : <script src="https://js.stripe.com/v3"></script> or Facebook : <script async defer src="https://connect.facebook.net/en_US/sdk.js"></script>

If they offer you a javascript and it has to change frequently to fix bugs, for instance, they don't want to be bothered with having to coordinate with all their customers to change the subresource integrity tag...

In this case our service could be an alternative.

leppr6y ago

Suggestion: Monitor other potential attack vectors like CSS files.

Dyaz17OP6y ago

Thanks for the suggestion

leppr6y ago

This is good, but this won't stop the first few visitors from getting pwned. Client-side check (SRI) is still the best solution.

Dyaz17OP6y ago

You are right. SRI is the best solution and I mention it in the FAQ. Unfortunately, it can't always be implemented. See my previous comment :

Well many companies that offer you a service don't include the Subresource integrity Tag. Check for instance Stripe : <script src="https://js.stripe.com/v3"></script> or Facebook : <script async defer src="https://connect.facebook.net/en_US/sdk.js"></script>

In this case, our service could be an alternative.

missblit6y ago

> How do you detect the modifications? We compute the hashes of the files regularly. If only one character in a file changes, his hash will change.

Does this include HTTP headers? For instance a yay.js framework that helps people print 'yay' to the console could return:

  HTTP/1.1 301 MOVED PERMANENTLY
  LOCATION: http://evil.evil/evil.js
  
  console.log('yay!');

Dyaz17OP6y ago

No it does not include the headers. Only the js file downloaded.

godzillabrennus6y ago

Pricing seems high to me. A sub $10/month plan that lets someone check 30 files once a day or even once a week would be useful.

Plenty of small companies have god awful Wordpress sites with a ton of insecure JavaScript files. They don’t need to be checked every 10 minutes but they do need something to check.

Dyaz17OP6y ago

Thanks for the suggestion.

dmitrygr6y ago

I get relying on 3rd party libraries, but not hosting them yourself and just hoping that the current host never gets sold/owned/etc? That sounds insane to me...

Sounds like curl | insmod /dev/stdin level insane

GhostVII6y ago

Sounds pretty insane to me too, but I think it is valuable to let people do insane things more securely, as I don't think security concerns are generally a very big deterrent in software development (unfortunately).

ben5096y ago

Some 3rd party services, though, serve up libraries, e.g. disqus.

koolba6y ago

And those 3rd party libs can dynamically load other files via script tags. The first level does not even have to change for dynamically loaded scripts to change.

jjeaff6y ago

Lots of 3rd party services don't allow you to host your own copy of their library.

1 more reply

stephenr6y ago

Apart from the "SaaS services" (I mean, are they really services for services?), this seems to boil down to:

"We can't trust SaaS.... so we built a SaaS to alert you when the JS delivered by your SaaS changes...". So now you have to trust this SaaS to tell you that the other SaaS is still trustworthy.

quickthrower26y ago

That's the premise behind most security software. We can't trust the internet, so download a firewall from the internet to block traffic from the internet.

stephenr6y ago

The software you download is generally signed by a party that you do trust though, and then runs locally on your computer.

And of course, that also doesn't really apply if you're using an operating system that includes a firewall by default.

Dyaz17OP6y ago

For now, Guardscript Goal is for the different SaaS services to use it, not for the individual website owners to use it to monitor the JS of SaaS services.

pietroglyph6y ago

Looks very cool. You have a typo in the pricing area of the page: it says "Sart Free Trial" instead of "Start Free Trial".

Dyaz17OP6y ago

Thank you, I have corrected it

snek6y ago

Imagine an internet where instead of making this tool, people stopped including billions of third party scripts.

leppr6y ago

Imagine an operating system where instead of making this tool, people stopped including billions of third party libraries.

graphememes6y ago

You could do this with a free serverless function on aws, why would I pay for it

viraptor6y ago

To save time you'd otherwise spend writing and testing the serverless function. This applies to literally every SaaS.

graphememes6y ago

This isn't particularly a hard thing to do, and the testing framework is pretty much baked into AWS. There are libraries to do this already.

You do you though.

j / k navigate · click thread line to collapse

37 comments

Dyaz17OP6y ago

Hey HN!

I created GuardScript because in my previous company we started to include more and more third-party Javascript from SaaS services on our homepage, and this created security risks for us [1] [2].

I'd love feedback and suggestions on how to make it better.

Thanks!

[1] https://www.theregister.co.uk/2018/09/12/feedify_magecart_ja [2] https://www.zdnet.com/article/hackers-breach-statcounter-to-...

ben5096y ago

I'd want a runbook feature so that anyone getting the email has a procedure to:

* check release notes to identify a false alarm

* if not identify which source files the URL is used in

* disable those URLs

* flush caches

* confirm they're disabled

* contact the service provider

* roll back when upstream is fixed

Or something like that. Man, I do not miss ops work.

Dyaz17OP6y ago

You are right, for now all the analysis should be done by the owner of the script. I'll think about adding a runbook...

netsharc6y ago

So as a hacker, I will just need to hack statcounter to serve your IP the non-molested JS, and almost everyone else the bad JS, right?

jjeaff6y ago

If you want to mitigate that, you simply need to run this from, or proxy the request through, some other random ip address.

ben5096y ago

Under "pricing" all the "start" buttons say "sart". (Checked Chrome and FF.)

Dyaz17OP6y ago

Thank you! I have changed it.

BubRoss6y ago

Why wouldn't someone just detect changes to the files at the OS level?

godzillabrennus6y ago

Not all hosts give you control at the OS level.

jjeaff6y ago

It sounds like this is talking about 3rd party scripts included in the page. Like Google analytics and the like.

1 more reply

jhgg6y ago

>GuardScript is usefull when Subressource integrity is not feasible or not implemented, which is most of the time for SaaS services.

Can you explain what this means?

Dyaz17OP6y ago

Well many companies that offer you a service don't include the Subresource integrity Tag.

Check for instance Stripe : <script src="https://js.stripe.com/v3"></script> or Facebook : <script async defer src="https://connect.facebook.net/en_US/sdk.js"></script>

In this case our service could be an alternative.

leppr6y ago

Suggestion: Monitor other potential attack vectors like CSS files.

Dyaz17OP6y ago

Thanks for the suggestion

leppr6y ago

This is good, but this won't stop the first few visitors from getting pwned. Client-side check (SRI) is still the best solution.

Dyaz17OP6y ago

You are right. SRI is the best solution and I mention it in the FAQ. Unfortunately, it can't always be implemented. See my previous comment :

In this case, our service could be an alternative.

missblit6y ago

> How do you detect the modifications? We compute the hashes of the files regularly. If only one character in a file changes, his hash will change.

Does this include HTTP headers? For instance a yay.js framework that helps people print 'yay' to the console could return:

  HTTP/1.1 301 MOVED PERMANENTLY
  LOCATION: http://evil.evil/evil.js
  
  console.log('yay!');

Dyaz17OP6y ago

No it does not include the headers. Only the js file downloaded.

godzillabrennus6y ago

Pricing seems high to me. A sub $10/month plan that lets someone check 30 files once a day or even once a week would be useful.

Plenty of small companies have god awful Wordpress sites with a ton of insecure JavaScript files. They don’t need to be checked every 10 minutes but they do need something to check.

Dyaz17OP6y ago

Thanks for the suggestion.

dmitrygr6y ago

I get relying on 3rd party libraries, but not hosting them yourself and just hoping that the current host never gets sold/owned/etc? That sounds insane to me...

Sounds like curl | insmod /dev/stdin level insane

GhostVII6y ago

ben5096y ago

Some 3rd party services, though, serve up libraries, e.g. disqus.

koolba6y ago

And those 3rd party libs can dynamically load other files via script tags. The first level does not even have to change for dynamically loaded scripts to change.

jjeaff6y ago

Lots of 3rd party services don't allow you to host your own copy of their library.

1 more reply

stephenr6y ago

Apart from the "SaaS services" (I mean, are they really services for services?), this seems to boil down to:

"We can't trust SaaS.... so we built a SaaS to alert you when the JS delivered by your SaaS changes...". So now you have to trust this SaaS to tell you that the other SaaS is still trustworthy.

quickthrower26y ago

That's the premise behind most security software. We can't trust the internet, so download a firewall from the internet to block traffic from the internet.

stephenr6y ago

The software you download is generally signed by a party that you do trust though, and then runs locally on your computer.

And of course, that also doesn't really apply if you're using an operating system that includes a firewall by default.

Dyaz17OP6y ago

For now, Guardscript Goal is for the different SaaS services to use it, not for the individual website owners to use it to monitor the JS of SaaS services.

pietroglyph6y ago

Looks very cool. You have a typo in the pricing area of the page: it says "Sart Free Trial" instead of "Start Free Trial".

Dyaz17OP6y ago

Thank you, I have corrected it

snek6y ago

Imagine an internet where instead of making this tool, people stopped including billions of third party scripts.

leppr6y ago

Imagine an operating system where instead of making this tool, people stopped including billions of third party libraries.

graphememes6y ago

You could do this with a free serverless function on aws, why would I pay for it

viraptor6y ago

To save time you'd otherwise spend writing and testing the serverless function. This applies to literally every SaaS.

graphememes6y ago

This isn't particularly a hard thing to do, and the testing framework is pretty much baked into AWS. There are libraries to do this already.

You do you though.

j / k navigate · click thread line to collapse