Show HN: Black Hat Rust – Deep dive into offensive security with Rust https://ift.tt/39Lsf0C

Show HN: Black Hat Rust – Deep dive into offensive security with Rust https://ift.tt/3rnCQEK February 4, 2021 at 11:34PM

Launch HN: Feroot (YC W21) – security scanner for front-end JavaScript code https://ift.tt/3jj3uft

Launch HN: Feroot (YC W21) – security scanner for front-end JavaScript code Hi HN! I'm Ivan, the co-founder of Feroot Security (YC W21) ( https://www.feroot.com/ ). Feroot Inspector is a security scanner for the client-side javascript code of web apps made for app sec teams. If you're not testing the security of the client-side code of your web app, there’s a good chance you could be exposed to Magecart skimmers, malware and spyware loaded with third-party scripts - css, pixels, tags, trackers, and more. We use synthetic users (i.e. bots—good ones!) to detect keyloggers, spyware, security misconfigurations, vulnerabilities, anomalies in the client-side code of web applications. Simulating activities that real users do, our scanner triggers all code activities first. And then it performs security testing and assessments of actual JavaScript code and everything else that is loaded into the browser when your users are using your web app. Pretty much what security scanners (like Qualys and Acunetix) are doing to test the application side code of web apps, but we do it for client-side code. So why did we build Feroot? First, nobody knows what actually happens on the client-side of web apps. Client-side code is a mystery and nobody knows when keyloggers are stealing users’ keystrokes or doing anything else sketchy. Second, existing web app security testing tools don’t perform data asset discovery. They don’t tell you what web forms exist throughout the user journeys and what information is ingested by the web app through each and every web form. All that is missing. Third, client-side code of web apps is highly variable and dynamic. As web developers are moving logic to the client-side a lot more externally controlled JavaScript code is included into users’ web browsers. Meaning, that every script, third-party and open source library can open a backdoor for hackers to exploit. We saw a need for a simple self-serve solution that brings security, developers, marketing and compliance teams together to help them secure the client-side of web apps. Feroot Inspector uses synthetic users and headless Chrome, which use algorithmic and heuristic approaches, to do activities that real users do -- type input into forms, submit forms to trigger potential keyloggers, skimmers, and all other client-side script activities. It also monitors all incoming and outgoing network traffic from the browser and uses data traps to terminate outbound network requests, to avoid any impact during the scan. Tech specs: 1) Support single-page/multiple-page web apps, and auto-discovery pm multi-page websites; 2) Resolves captchas, undetected by bot detection systems; 3) Tracks script changes, stores scripts content, detection of unauthorized scripts; 4) Audits page and frame security matrix, permission model for main frame of the page and all child-frames; 5) Detects data input and data ingestion points and report on data transfer, active data read (keystroke read), data access model; 6) Form-based authentication for scanning password-protected websites and custom scenario based authentication; 7) Detects data transfers from browser of user sessions to third-party hosts and domains; 8) Geo-decoding in real time of the destination country of data transfers; 8) Report export to: JSON (using API), CSV, Excel, and PDF; 9) Native Integrations: Slack, Jira, Datadog, PagerDuty, Splunk, JupiterOne, Sumo Logic, AWS Cloudwatch Events/logs, Opsgenie, ServiceNow, and webhooks; 10) Inspector performs non-intrusive, outside-in scanning of production live web apps. We would love to hear your feedback about Feroot scanner, as well as answer questions you might have! Thanks, Ivan & Vitaliy February 4, 2021 at 06:25PM

Show HN: Pinocchio – A GUI for Puppeteer test creation https://ift.tt/3tzCugv

Show HN: Pinocchio – A GUI for Puppeteer test creation https://ift.tt/36Z7ooT February 4, 2021 at 09:56PM

Launch HN: Tint (YC W21) – Embed insurance into any product https://ift.tt/3ax6TmS

Launch HN: Tint (YC W21) – Embed insurance into any product Hi HN! We’re Matheus & Jérôme and we’re the co-founders of Tint( http://www.tint.ai ). We help companies add insurance to their products. Many companies, such as marketplaces, merchants, and travel agents could include insurance as part of their products and services to make them more valuable to their customers. For example, insurance will be included when you rent a campervan for a weekend trip at Outdoorsy, to protect you if anything goes wrong. Our platform provides everything that is needed: software, access to insurers, compliance—everything required to manage risk and protect users, profitably. We met in 2014 when we were early employees at Turo, the car-sharing startup. While there, we saw the potential that insurance products have and also saw how hard it was to fully capitalize on it. Turo has an obvious and pressing need for insurance, but to fill it, they had to build their own systems, find insurers to back the program, and ensure compliance with state laws. None of this was their core business. We got inspired by the problem and by the opportunity to solve it, so we decided to create Tint. Here is a real example from Riders Share, one of our clients: you go to their website/app to rent a motorbike for the weekend and find an awesome Harley Davidson. You proceed to checkout, see a few protection/insurance options, select one, and book the trip. You won't notice, but Riders Share's app has used Tint to risk-score the transaction, decide if it should be confirmed, and calculate how much the protection should cost. Now, imagine you are a developer working on this project and need to add insurance to the product. What do you do? Instead of reinventing the wheel and adding more lines of code to maintain, you can leverage our APIs to integrate all the touchpoints required to sell insurance to your users (risk selection, quotes, issuing policy, claims, …). All the logic for the API responses is configured from our app so your insurance team can easily iterate on the next versions of your insurance product. Oh, and we also train machine learning models so we can recommend ways to improve its performance. We're live in production and have helped our clients embed hundreds of thousands of insurance policies. While our tech applies to any insurance use case, we are initially targeting marketplaces that embed insurance. We'd love to hear any of your ideas or experiences in this space. Thanks, Matheus + Jérôme February 4, 2021 at 09:32PM

Show HN: Spy on Shopify Stores https://ift.tt/2MBGYT1

Show HN: Spy on Shopify Stores https://shopgram.io February 4, 2021 at 08:42PM

Show HN: TurnShift, I turned an Algolia internal scheduling tool into a SaaS https://ift.tt/3cJliim

Show HN: TurnShift, I turned an Algolia internal scheduling tool into a SaaS https://turnshift.app/ February 4, 2021 at 07:17PM

Show HN: Notify – easily send messages to multiple social platforms concurrently https://ift.tt/3oMtbWN

Show HN: Notify – easily send messages to multiple social platforms concurrently https://ift.tt/2YmUI6f February 4, 2021 at 06:04PM