
Show HN: Guardscript – Detect any changes made to your JavaScript files - Dyaz17
https://www.guardscript.com
======
Dyaz17
Hey HN!

I created GuardScript because in my previous company we started to include
more and more third-party Javascript from SaaS services on our homepage, and
this created security risks for us [1] [2].

In order to reassure us, a few of these companies created independently what
is essentially GuardScript: a service that monitors every few minutes any
changes made to your Javascript files and sends you a notification with the
changes made. You can then detect any malicious modification by analyzing
these results.I decided to build it for a broader audience.

I'd love feedback and suggestions on how to make it better.

Thanks!

[1]
[https://www.theregister.co.uk/2018/09/12/feedify_magecart_ja](https://www.theregister.co.uk/2018/09/12/feedify_magecart_ja)
[2] [https://www.zdnet.com/article/hackers-breach-statcounter-
to-...](https://www.zdnet.com/article/hackers-breach-statcounter-to-hijack-
bitcoin-transactions-on-gate-io-exchange/)

~~~
BubRoss
Why wouldn't someone just detect changes to the files at the OS level?

~~~
jjeaff
It sounds like this is talking about 3rd party scripts included in the page.
Like Google analytics and the like.

~~~
Dyaz17
Exactly.

------
leppr
This is good, but this won't stop the first few visitors from getting pwned.
Client-side check (SRI) is still the best solution.

~~~
Dyaz17
You are right. SRI is the best solution and I mention it in the FAQ.
Unfortunately, it can't always be implemented. See my previous comment :

Well many companies that offer you a service don't include the Subresource
integrity Tag. Check for instance Stripe : <script
src="[https://js.stripe.com/v3"></script>](https://js.stripe.com/v3"></script>)
or Facebook : <script async defer
src="[https://connect.facebook.net/en_US/sdk.js"></script>](https://connect.facebook.net/en_US/sdk.js"></script>)

If they offer you a javascript and it has to change frequently to fix bugs,
for instance, they don't want to be bothered with having to coordinate with
all their customers to change the subresource integrity tag...

In this case, our service could be an alternative.

------
missblit
> How do you detect the modifications? We compute the hashes of the files
> regularly. If only one character in a file changes, his hash will change.

Does this include HTTP headers? For instance a yay.js framework that helps
people print 'yay' to the console could return:

    
    
      HTTP/1.1 301 MOVED PERMANENTLY
      LOCATION: http://evil.evil/evil.js
      
      console.log('yay!');

~~~
Dyaz17
No it does not include the headers. Only the js file downloaded.

------
godzillabrennus
Pricing seems high to me. A sub $10/month plan that lets someone check 30
files once a day or even once a week would be useful.

Plenty of small companies have god awful Wordpress sites with a ton of
insecure JavaScript files. They don’t need to be checked every 10 minutes but
they do need something to check.

~~~
Dyaz17
Thanks for the suggestion.

------
dmitrygr
I get relying on 3rd party libraries, but not hosting them yourself and just
hoping that the current host never gets sold/owned/etc? That sounds insane to
me...

Sounds like _curl | insmod /dev/stdin_ level insane

~~~
ben509
Some 3rd party services, though, serve up libraries, e.g. disqus.

~~~
koolba
And those 3rd party libs can dynamically load other files via script tags. The
first level does not even have to change for dynamically loaded scripts to
change.

------
stephenr
Apart from the "SaaS services" (I mean, are they really services for
services?), this seems to boil down to:

"We can't trust SaaS.... so we built a SaaS to alert you when the JS delivered
by your SaaS changes...". So now you have to trust this SaaS to tell you that
the other SaaS is still trustworthy.

~~~
quickthrower2
That's the premise behind most security software. We can't trust the internet,
so download a firewall from the internet to block traffic from the internet.

~~~
stephenr
The software you download is generally signed by a party that you do trust
though, and then runs locally on your computer.

And of course, that also doesn't _really_ apply if you're using an operating
system that includes a firewall by default.

------
pietroglyph
Looks very cool. You have a typo in the pricing area of the page: it says
"Sart Free Trial" instead of "Start Free Trial".

~~~
Dyaz17
Thank you, I have corrected it

------
snek
Imagine an internet where instead of making this tool, people stopped
including billions of third party scripts.

~~~
leppr
Imagine an operating system where instead of making this tool, people stopped
including billions of third party libraries.

------
graphememes
You could do this with a free serverless function on aws, why would I pay for
it

~~~
viraptor
To save time you'd otherwise spend writing and testing the serverless
function. This applies to literally every SaaS.

~~~
graphememes
This isn't particularly a hard thing to do, and the testing framework is
pretty much baked into AWS. There are libraries to do this already.

You do you though.

