This article takes an honest look at the features of Feroot vs c/side. Please note that you’re on the c/side website. While we have a natural bias, we present both tools in the same light. To complete your research, please visit the Feroot product pages.
The differences between Jscrambler Webpage Integrity and c/side
Jscrambler started as a company focussed on providing JavaScript obfuscation to protect intellectual property. In 2021 Jscrambler added a client-side detection method to their offering to protect against browser side attacks.
They look for suspicious behaviors in scripts and block those actions in the browser of the user.
Unlike c/side, they are not part of the delivery flow of the 3rd party script.
| c/side | Feroot | |
|---|---|---|
| Doesn't rely on CSP policies | ✅ | ✅ |
| Doesn't cause errors in the browser terminal | ✅ | |
| Client side JS script detection | ✅ | ✅ |
| Uses threat feed intel | ✅ | ✅ |
| Monitors Who-is records | ✅ | |
| Monitors SSL | ✅ | |
| Able to detect inline scripts | ✅ | ✅ |
| Uses AI to analyse scripts | ✅ | ✅ |
| Creates allow lists for scripts | ✅ | |
| Is able to block scripts without creating an allow list | ✅ | ✅ |
| Proxies scripts | ✅ | |
| Stores script content for future review | ✅ | ✅ |
| 100% certainty that the script reviewed is the one seen by the browser of the user | ✅ | ✅ |
| Stores historical script content to improve detections and help investigations | ✅ | ✅ |
| Performance enhances scripts | ✅ |
What we don’t like about Feroot
Feroot’s offering appears to be split into two products: “PageGuard” and “Inspector”.
Their PageGuard page reads:
“PageGuard deploys security permissions and policies to JavaScript-based web applications to continuously protect them from malicious client-side activities, malware, and third-party scripts.”
And:
“PageGuard overwrites certain main and core JavaScript code to protect your web application from client-side cyber threats.”
It’s clear they largely follow the same approach as most of our competitors. They use permissions and a form on an allow-list where you pre-approve which scripts are allowed to run on which pages.
This is better than doing nothing, but it doesn’t protect against 0-day attacks.
Though they go a step further than most, and that should receive credit. “PageGuard” in general keeps track of all JavaScript events on pages and also of the date and time when a script is being loaded in the browser, similar to c/side.
They don’t seem to use a proxy approach like we do however. It’s not exactly clear to us, but here’s how we think it works:
-
They’re most likely crawling your website and alerting you for specific scripts they have labeled, and attributes in scripts they have labeled as troublesome.
-
Some server-side code can be deployed to find, block or even remove 3rd party scripts and cookies.
-
They also have a Chrome browser extension called PageScanner which seems to be free to download and use.
So if the approach is different, is the result the same? Yes and no. Yes, Feroot is obviously aware of the dangers of third-party scripts having uncontrolled access to user data. And we can only applaud companies trying to tackle this issue.
But they mention that:
“PageGuard is able to block a variety of JavaScript functions and features (including) scripts dynamically added into your code and scripts indirectly loaded through attributes and Evan()-like functions.”
And in this we see that the results are not the same. “PageGuard” detects and blocks scripts that are dynamically added to a webpage after the initial page load.
At c/side we vouch for our proxy approach because it blocks scripts before the initial page load. Ultimately stopping the attack before it happened.
Through our optimizations and engineering, this doesn’t add latency in nearly all cases. It often even speeds up scripts rather than slows them down.
“Inspector” is another Feroot product, which appears to use bots to mimic real user behavior on your site. They then gather info on what data is requested where, and where data in form submissions or solving CAPTCHAs gets sent to. A report is then generated to list potential issues. This appears to run continuously to spot new threats.
c/side doesn’t use this botted approach. But since we track all activity of real users on your site and don’t sample traffic, the result should be largely the same.
Finally, it’s important to note that Feroot’s call to action is “Start Free Website Assessment” which blocks you from getting started right away. Pricing not mentioned either. This combination is one we actively try to avoid. Security should not be hidden, but accessible for all to better their services and serve their customers.
Your choice!
So there you have it, our understanding and thoughts on how Feroot and c/side shape up. Have we made our case or are you still looking for some more information?
Hop on our free tier, and take it for a spin. Get started with c/side.
Or, you can go here to read more on how c/side works and find other comparisons.