Scriptinel
Protect your website from frontend data breaches

Prevent data breaches through your frontend

Scriptinel scans your website and alerts you in case a malicious actor tampers with your scripts
Go to DATA BREACH PROTECTION

DATA BREACH PROTECTION

Not all data breaches occur at the database. Some occur in the browser. Prevent that by monitoring your scripts

Go to REGULATORY COMPLIANCE

REGULATORY COMPLIANCE

GDPR, HIPAA, CCPA and other data protection regulations have similar requirements for keeping personal data safe. Scriptinel makes you more compliant.

Go to TRACK VULNERABLE

TRACK VULNERABLE SCRIPTS

We'll notify you if there are known vulnerabilities in your scripts so that you can upgrade them

Go to MAGECART PROTECTION

MAGECART PROTECTION

Magecart is a group of hackers that steal credit card numbers. We help you identify Magecart attacks and stop them.

If you have questions about data breach protection measures and how to apply them, don't hesitate to contact us

FAQ

Q: What threads does Scriptinel protect against?
A: Malicious actors can modify scripts that run on your website in order to steal your users' data (credentials, credit card details, etc.). British Airways and Ticketmaster are the most notorious such attacks. They can happen in multiple ways:

  • A 3rd party script hosting (e.g. CDN) gets compromised
  • Your own static resource server gets compromised
  • An attacker performs a man-in-the-middle-attack an thus modifies a script from an otherwise uncompromised server
Scriptinel solves those by monitoring your scripts for unexpected changes and alerts you when they happen.

Q: Which pages should I monitor?
A: You can monitor any page, but it's best to monitor the following:

  • Homepage - if the page your users land on is compromised, then an attack can do anything to trick them into submitting sensitive data. Since you are most likely reusing templates, monitoring the homepage scripts will mean monitoring the scripts on most pages
  • Login page - this is where an attacker can get hold of your users' credentials
  • Payment page - the most lucrative data is credit card details, so monitoring the payment page scripts is key. Your payment page may not be directly reachable from a specific URL, so you may have to manually monitor each script on that page


Q: Should I scan pages or scripts?
A: Scriptinel supports both. For public pages it's good to scan the whole page, whereas for pages that are not reachable directly via a GET request (e.g. the payment page), you can monitor scripts individually.



Q: Why is this better than Subresource Integrity (SRI)
A: Subresource integirty is great, but it has the following issues:

  • It complicates build automation as you have to recalculate hashes of bundled and minimized scripts and inject them into page templates
  • Minor changes in a script can break your entire website
  • It doesn't load with dynamically loaded scripts
  • If your main server is compromised, the attackers can easily update the script hash
Scriptinel is simple to setup, doesn't break your website but rather alerts you in case of changes, it works with dynamically loaded scripts and even if an attacker has control on the system, they can't stop the monitoring. While they can serve different version of the script to our IPs that's a more complicated step than changing the script hash. It may seem strange that an attacker with access to the main server would inject javascript rather than breach the database, but credit cards aren't usually stored in plain text there and it's easier to collect them through a well-tested malicous frontend script than to modify custom code.

Q: Isn't Content-Security-Policy (CSP) enough to protect me from malicious scripts?
A: No, CSP only defines the trusted domains, but this is exactly how breaches happen - a trusted domain gets compromised and starts serving modified malicious scripts. You should still use CSP for additional protection, of course.



Q: Will monitoring slow down my website?
A: No, the scans are gentle and don't involve heavy server-side operations on your end