JavaScript Security Monitoring

October 16, 2017

PLEASE NOTE: Our JavaScript Security Monitor has been superseded by our Data Breach Monitor, which helps defend against skimming attacks and data breaches. The JavaScript Security Monitor is no longer available.

Security Monitoring is one area that will be receiving major focus from the RapidSpike team over the coming months. One new addition to our ever increasing range of features is the JavaScript Security Monitor.

JavaScript security is becoming an increasing issue that needs addressing by website owners. The threat posed by hackers utilising JavaScript as an attack vector is gaining in popularity.

The Magecart attacks as reported by Security.io highlighted issues where hackers would either hack third-party JavaScript files or the files on your web server to make rogue calls that in this case inserted keyloggers specifically looking for credit card details at the checkout phase of your e-commerce website.

More recently, the BBC reported on hackers that have managed to install code on the various websites that use visitors’ computers to “mine” cyber-currencies.

RapidSpike have released a feature-rich JavaScript Security Monitor that enables web site owners to ensure the integrity of their JavaScript files and get alerted to any behaviour that could indicate a possible hack.

How does the JavaScript Security Monitor work?

The RapidSpike JavaScript Security Monitor introduces a new level of security monitoring, specifically aimed at JavaScript files in use on your website. The monitor works on both JavaScript files hosted on your website as well as third-party hosted JavaScript files.

The monitor uses the Synthetic User Journey technology to function as a Security Module to the User Journey. When the User Journey runs, a list of JavaScript files in use is collected and this forms the basis of a Whitelist.

Two main features are provided by the monitor. The first feature is to monitor for the addition of new JavaScript files. With this feature, if a new JavaScript file appears that is not on your preconfigured whitelist then you have the ability to be alerted via the delivery method of your choice.

This feature protects against an attack to your web server where a new JavaScript file is referenced by your website. This could be hosted on your web server but in practice these rogue files are normally hosted remotely and called by altering the HTML code on your web server.

The second feature is the ability to Track the file size of the JavaScript file. If any of the JavaScript files used by your website suddenly change file size you have the ability to be alerted via the delivery method of your choice.

This feature protects against an attack to your web server where an existing JavaScript file is altered to contain malicious code. This is a very common way to get third-party malicious code injected into a current JavaScript file.

Both scenarios and features of the JavaScript Security Monitor have been identified as essential through common attacks against various commercial web sites and organisations.

How to setup the JavaScript Security Monitor

The RapidSpike JavaScript Security Monitor has been released as an Enterprise feature and you need at least an Enterprise account in order to configure the monitor against your website.

The monitor is currently configured through the User Journey configuration screens as it currently runs as a Security Module against a User Journey.

You need a configured User Journey that visits the pages you wish to check the JavaScript on in order to operate.

Visiting the Journey Settings you will now see a JS Security tab. The first time you visit this tab you will be presented with the screen below advising you that the monitor is not running:

Clicking on Activate Monitor will enable the JavaScript Security Monitor and the system will retrieve the JavaScript files identified during the most recent successful User Journey.

At this point, the JavaScript Security Monitor is running but will only warn you when new JavaScript files appear. To also check the for a filename change, select the file or files you wish to track.

Tracked files are monitored for filename changes and the screenshot below displays a sample JavaScript whitelist with 3 files being tracked.

Baselining the JavaScript Security Monitor

As we have covered above, there are two features of the JavaScript Security Monitor. You may be questioning why you would not just track every JavaScript file. The answer to this is that some JavaScript files are dynamic by nature.

Some JavaScript files will have a dynamic filename or path and some JavaScript files may contain dynamic elements within them that would alter the size of the file such as files that include the date or a session id within the JavaScript.

Both of the scenarios above will cause what is called a false positive, something that appears as a warning but is normal.

We have developed a solution that allows you to baseline your configuration to identify any dynamic files that may need adjusting so as to not produce a lot of false positive warnings or alerts.

Looking at the example below we can see that the file has what looks to be a version number:

Clicking on the Edit button allows you to set the filename to Begin With: rather than an exact match. We can edit the filename to begin with the name before the dynamic element. This will still be matched so a warning will not be generated for the file if anything after the filename changes.

One approach to baselining is to leave the monitor running to see how many warnings it fires and then to look at each warning to ascertain how to prevent the warning from happening by editing the file name and setting a Begins with:

RapidSpike are offering Professional Services to configure this for clients utilising their experience so feel free to get in touch if this is something you are interested in.

Receiving Alerts from the JavaScript Security Monitor

By default, you only receive a warning through the User Journey system when a problem is identified. If you would like to receive an email alert, you can browse to the User Journey Rules of the Alert Settings and configure an alert.

As shown above, an alert can be created when a tracked JavaScript file changes size or when a new JavaScript file is detected.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.