from Hacker News

Show HN: Guardscript – Detect any changes made to your JavaScript files

by Dyaz17 on 6/24/19, 4:18 PM with 37 comments

  • by Dyaz17 on 6/24/19, 4:20 PM

    Hey HN!

    I created GuardScript because in my previous company we started to include more and more third-party Javascript from SaaS services on our homepage, and this created security risks for us [1] [2].

    In order to reassure us, a few of these companies created independently what is essentially GuardScript: a service that monitors every few minutes any changes made to your Javascript files and sends you a notification with the changes made. You can then detect any malicious modification by analyzing these results.I decided to build it for a broader audience.

    I'd love feedback and suggestions on how to make it better.

    Thanks!

    [1] https://www.theregister.co.uk/2018/09/12/feedify_magecart_ja [2] https://www.zdnet.com/article/hackers-breach-statcounter-to-...

  • by leppr on 6/25/19, 12:25 AM

    This is good, but this won't stop the first few visitors from getting pwned. Client-side check (SRI) is still the best solution.

  • by missblit on 6/25/19, 3:42 AM

    > How do you detect the modifications? We compute the hashes of the files regularly. If only one character in a file changes, his hash will change.

    Does this include HTTP headers? For instance a yay.js framework that helps people print 'yay' to the console could return:

      HTTP/1.1 301 MOVED PERMANENTLY
  LOCATION: http://evil.evil/evil.js
  
  console.log('yay!');

  • by godzillabrennus on 6/25/19, 1:42 AM

    Pricing seems high to me. A sub $10/month plan that lets someone check 30 files once a day or even once a week would be useful.

    Plenty of small companies have god awful Wordpress sites with a ton of insecure JavaScript files. They don’t need to be checked every 10 minutes but they do need something to check.

  • by dmitrygr on 6/25/19, 12:01 AM

    I get relying on 3rd party libraries, but not hosting them yourself and just hoping that the current host never gets sold/owned/etc? That sounds insane to me...

    Sounds like curl | insmod /dev/stdin level insane

  • by stephenr on 6/25/19, 4:15 AM

    Apart from the "SaaS services" (I mean, are they really services for services?), this seems to boil down to:

    "We can't trust SaaS.... so we built a SaaS to alert you when the JS delivered by your SaaS changes...". So now you have to trust this SaaS to tell you that the other SaaS is still trustworthy.

  • by pietroglyph on 6/25/19, 1:19 AM

    Looks very cool. You have a typo in the pricing area of the page: it says "Sart Free Trial" instead of "Start Free Trial".

  • by snek on 6/25/19, 2:12 AM

    Imagine an internet where instead of making this tool, people stopped including billions of third party scripts.

  • by graphememes on 6/25/19, 3:17 AM

    You could do this with a free serverless function on aws, why would I pay for it