[HN Gopher] Launch HN: Feroot (YC W21) - security scanner for fr...
___________________________________________________________________
Launch HN: Feroot (YC W21) - security scanner for front-end
JavaScript code
Hi HN! I'm Ivan, the co-founder of Feroot Security (YC W21)
(https://www.feroot.com/). Feroot Inspector is a security scanner
for the client-side javascript code of web apps made for app sec
teams. If you're not testing the security of the client-side code
of your web app, there's a good chance you could be exposed to
Magecart skimmers, malware and spyware loaded with third-party
scripts - css, pixels, tags, trackers, and more. We use synthetic
users (i.e. bots--good ones!) to detect keyloggers, spyware,
security misconfigurations, vulnerabilities, anomalies in the
client-side code of web applications. Simulating activities that
real users do, our scanner triggers all code activities first. And
then it performs security testing and assessments of actual
JavaScript code and everything else that is loaded into the browser
when your users are using your web app. Pretty much what security
scanners (like Qualys and Acunetix) are doing to test the
application side code of web apps, but we do it for client-side
code. So why did we build Feroot? First, nobody knows what
actually happens on the client-side of web apps. Client-side code
is a mystery and nobody knows when keyloggers are stealing users'
keystrokes or doing anything else sketchy. Second, existing web app
security testing tools don't perform data asset discovery. They
don't tell you what web forms exist throughout the user journeys
and what information is ingested by the web app through each and
every web form. All that is missing. Third, client-side code of web
apps is highly variable and dynamic. As web developers are moving
logic to the client-side a lot more externally controlled
JavaScript code is included into users' web browsers. Meaning, that
every script, third-party and open source library can open a
backdoor for hackers to exploit. We saw a need for a simple self-
serve solution that brings security, developers, marketing and
compliance teams together to help them secure the client-side of
web apps. Feroot Inspector uses synthetic users and headless
Chrome, which use algorithmic and heuristic approaches, to do
activities that real users do -- type input into forms, submit
forms to trigger potential keyloggers, skimmers, and all other
client-side script activities. It also monitors all incoming and
outgoing network traffic from the browser and uses data traps to
terminate outbound network requests, to avoid any impact during the
scan. Tech specs: 1) Support single-page/multiple-page web apps,
and auto-discovery pm multi-page websites; 2) Resolves captchas,
undetected by bot detection systems; 3) Tracks script changes,
stores scripts content, detection of unauthorized scripts; 4)
Audits page and frame security matrix, permission model for main
frame of the page and all child-frames; 5) Detects data input and
data ingestion points and report on data transfer, active data read
(keystroke read), data access model; 6) Form-based authentication
for scanning password-protected websites and custom scenario based
authentication; 7) Detects data transfers from browser of user
sessions to third-party hosts and domains; 8) Geo-decoding in real
time of the destination country of data transfers; 8) Report export
to: JSON (using API), CSV, Excel, and PDF; 9) Native Integrations:
Slack, Jira, Datadog, PagerDuty, Splunk, JupiterOne, Sumo Logic,
AWS Cloudwatch Events/logs, Opsgenie, ServiceNow, and webhooks; 10)
Inspector performs non-intrusive, outside-in scanning of production
live web apps. We would love to hear your feedback about Feroot
scanner, as well as answer questions you might have! Thanks, Ivan
& Vitaliy
Author : ivan_tsarynny
Score : 30 points
Date : 2021-02-04 12:55 UTC (10 hours ago)
| yostar wrote:
| Wow. How did this not exist already? Such a massive gap - good
| for you Ivan!
| quaffapint wrote:
| We've been checking out the various scanners lately. One thing I
| noticed with both Zap and BurpSuite is the lack of being able to
| report page fragments in SPA routings.
|
| So a page like http://yoursite.com/page/#/users would just be
| listed as http://yoursite.com/page. Does this handle those SPA
| routing cases and report them?
|
| Also in general how is this different then Zap? We were just
| planning to set that up in our CI for API and SPA scanning.
|
| What kind of scripting does it support to be able to get and use
| authz tokens for example?
| v1talique wrote:
| Excellent questions. We have built the support of SPA
| navigation. On top of that, our custom scenario functionality
| allows the scanner to reach the state of the app that may not
| have unique URL (i.e popup windows & etc) or the pages that
| require conditional logic, such as checkout page with products
| in the cart.
| brennanm wrote:
| Super cool
| Dyaz17 wrote:
| This is just awesome... Congrats on the launch. This product
| seems to protect really well websites that include many third
| party JavaScript. On the other hand ,if you are one of the third
| party offering the JS, I would advise you to implement
| Subressource integrity. Or, if not possible to monitor constantly
| any modifications made to your JS file. I developped a service
| that does that and there is a free plan :
| https://www.guardscript.com/
| ivan_tsarynny wrote:
| great idea! lmk if you'd like to chat
| narrationbox wrote:
| Are there any free plans or discounts for HN users?
| ivan_tsarynny wrote:
| thanks for asking, yes we have special package and discount for
| YC and HN companies. If you like using it please email me to
| get you upgraded
| ob1gman wrote:
| This is a huge problem! This looks very promising!
| blivingston wrote:
| Seems like a massive gap that you guys are addressing -
| especially in the enterprise space, I'll be watching closely!
| [deleted]
| forty wrote:
| Looks interesting! Just a piece of advice: you are making a web
| security related product, it cannot be a bad idea to have that
| page greenner
| https://securityheaders.com/?q=https%3A%2F%2Fwww.feroot.com%...
| ;)
| v1talique wrote:
| Thank you - just did! :)
| ahytai wrote:
| Huge need for this and very few good solutions out there.
___________________________________________________________________
(page generated 2021-02-04 23:01 UTC)