Launch HN: Feroot (YC W21) – security scanner for front-end JavaScript code
12 by ivan_tsarynny | 3 comments on Hacker News.
Hi HN! I'm Ivan, the co-founder of Feroot Security (YC W21) ( https://www.feroot.com/ ). Feroot Inspector is a security scanner for the client-side javascript code of web apps made for app sec teams. If you're not testing the security of the client-side code of your web app, there’s a good chance you could be exposed to Magecart skimmers, malware and spyware loaded with third-party scripts - css, pixels, tags, trackers, and more. We use synthetic users (i.e. bots—good ones!) to detect keyloggers, spyware, security misconfigurations, vulnerabilities, anomalies in the client-side code of web applications. Simulating activities that real users do, our scanner triggers all code activities first. And then it performs security testing and assessments of actual JavaScript code and everything else that is loaded into the browser when your users are using your web app. Pretty much what security scanners (like Qualys and Acunetix) are doing to test the application side code of web apps, but we do it for client-side code. So why did we build Feroot? First, nobody knows what actually happens on the client-side of web apps. Client-side code is a mystery and nobody knows when keyloggers are stealing users’ keystrokes or doing anything else sketchy. Second, existing web app security testing tools don’t perform data asset discovery. They don’t tell you what web forms exist throughout the user journeys and what information is ingested by the web app through each and every web form. All that is missing. Third, client-side code of web apps is highly variable and dynamic. As web developers are moving logic to the client-side a lot more externally controlled JavaScript code is included into users’ web browsers. Meaning, that every script, third-party and open source library can open a backdoor for hackers to exploit. We saw a need for a simple self-serve solution that brings security, developers, marketing and compliance teams together to help them secure the client-side of web apps. Feroot Inspector uses synthetic users and headless Chrome, which use algorithmic and heuristic approaches, to do activities that real users do -- type input into forms, submit forms to trigger potential keyloggers, skimmers, and all other client-side script activities. It also monitors all incoming and outgoing network traffic from the browser and uses data traps to terminate outbound network requests, to avoid any impact during the scan. Tech specs: 1) Support single-page/multiple-page web apps, and auto-discovery pm multi-page websites; 2) Resolves captchas, undetected by bot detection systems; 3) Tracks script changes, stores scripts content, detection of unauthorized scripts; 4) Audits page and frame security matrix, permission model for main frame of the page and all child-frames; 5) Detects data input and data ingestion points and report on data transfer, active data read (keystroke read), data access model; 6) Form-based authentication for scanning password-protected websites and custom scenario based authentication; 7) Detects data transfers from browser of user sessions to third-party hosts and domains; 8) Geo-decoding in real time of the destination country of data transfers; 8) Report export to: JSON (using API), CSV, Excel, and PDF; 9) Native Integrations: Slack, Jira, Datadog, PagerDuty, Splunk, JupiterOne, Sumo Logic, AWS Cloudwatch Events/logs, Opsgenie, ServiceNow, and webhooks; 10) Inspector performs non-intrusive, outside-in scanning of production live web apps. We would love to hear your feedback about Feroot scanner, as well as answer questions you might have! Thanks, Ivan & Vitaliy
Post a Comment