[Dyaz17]

Hey HN!

I created GuardScript because in my previous company we started to include more and more third-party Javascript from SaaS services on our homepage, and this created security risks for us [1] [2].

In order to reassure us, a few of these companies created independently what is essentially GuardScript: a service that monitors every few minutes any changes made to your Javascript files and sends you a notification with the changes made. You can then detect any malicious modification by analyzing these results.I decided to build it for a broader audience.

I'd love feedback and suggestions on how to make it better.

Thanks!

[1] https://www.theregister.co.uk/2018/09/12/feedify_magecart_ja [2] https://www.zdnet.com/article/hackers-breach-statcounter-to-...

[ben509]

What do you actually do about an alarm? Okay, I just got an email, check there's no release planned, I go through the diff and, oh crap, my customers are being pwned. Now I'm going to have to drop everything and manually disable those URLs until I can contact the maintainer of this service? I guess that's the unfortunate reality when using SaaS.

I'd want a runbook feature so that anyone getting the email has a procedure to:

* check release notes to identify a false alarm

* if not identify which source files the URL is used in

* disable those URLs

* flush caches

* confirm they're disabled

* contact the service provider

* roll back when upstream is fixed

Or something like that. Man, I do not miss ops work.

[Dyaz17]

You are right, for now all the analysis should be done by the owner of the script. I'll think about adding a runbook...

[netsharc]

So as a hacker, I will just need to hack statcounter to serve your IP the non-molested JS, and almost everyone else the bad JS, right?

[jjeaff]

If you want to mitigate that, you simply need to run this from, or proxy the request through, some other random ip address.

[ben509]

Under "pricing" all the "start" buttons say "sart". (Checked Chrome and FF.)

[Dyaz17]

Thank you! I have changed it.

[BubRoss]

Why wouldn't someone just detect changes to the files at the OS level?

[godzillabrennus]

Not all hosts give you control at the OS level.

[jjeaff]

It sounds like this is talking about 3rd party scripts included in the page. Like Google analytics and the like.

[Dyaz17]

Exactly.

[jhgg]

>GuardScript is usefull when Subressource integrity is not feasible or not implemented, which is most of the time for SaaS services.

Can you explain what this means?

[Dyaz17]

Well many companies that offer you a service don't include the Subresource integrity Tag.

Check for instance Stripe : <script src="https://js.stripe.com/v3"></script> or Facebook : <script async defer src="https://connect.facebook.net/en_US/sdk.js"></script>

If they offer you a javascript and it has to change frequently to fix bugs, for instance, they don't want to be bothered with having to coordinate with all their customers to change the subresource integrity tag...

In this case our service could be an alternative.

[leppr]

Suggestion: Monitor other potential attack vectors like CSS files.

[Dyaz17]

Thanks for the suggestion