This article takes an honest look at the features of Jscrambler Web Page Integrity, another company focussing on client-side security.
Since you’re on the cside website, we acknowledge our bias. That said, we’ve built our case honestly and based our analysis on publicly available information, industry information, and our own or our customers' experiences.
If you want to verify these claims yourself, please navigate to their product page.
|
Criteria
|
cside
|
Jscrambler
|
Why It Matters
|
What the Consequences Are
|
|---|---|---|---|---|
| Approaches used | Active client-side detections + gate-keeper + scanner | Static client-side script | ||
| Real-time Protection |
|
| Attacks can occur between scans or in the excluded data when sampled | Delayed detection = active data breaches |
| Full Payload Analysis |
|
| Ensures deep visibility into malicious behaviors within script code itself, not just its actions. | Threats go unnoticed unless the source is known on a threat feed |
| Dynamic Threat Detection |
|
| Identifies attacks that change based on user, time, location or randomization | Missed detection of targeted attacks |
| 100% Historical Tracking & Forensics |
|
| Needed for incident response, auditing, and compliance | Without script contents visibility is restricted to the specified and monitored script actions instead of the raw script contents |
| Bypass Protection |
|
| Stops attackers from circumventing detection methods | Stealthy threats can bypass exposed detection methods |
| Certainty the Script Seen by User is Monitored |
|
| Aligns analysis with what actually executes in the browser | Gaps between what's reviewed and what's actually executed |
| AI-driven Script Analysis |
|
| Detects novel or evolving threats through behavior modeling | Reliance on manual updates, threat feeds or rules = slow and error-prone detection |
| QSA validated PCI dash |
|
| The most reliable way to ensure a solution is PCI compliant is to conduct a thorough audit by an independent QSA | Without QSA validation, you rely entirely on marketing claims, which could result in failing an audit |
| SOC 2 Type II |
|
| Shows consistent operational security controls over time | Lacks verified security control validation, making it a risky vendor |
| PCI specific UI |
|
| An easy interface for quick script review and justification via one click or AI automation | Mundane tasks and manual research on what all the scripts do, which takes hours or days |
| Cost |
Public and predictable
|
Hidden and inconsistent
| Transparent pricing allows teams to budget effectively and make informed decisions | Hidden pricing that varies drastically between customers creates unpredictability and budget uncertainty |
What is Jscrambler
Jscrambler is a cybersecurity tool that protects JavaScript code through obfuscation, runtime protection, and anti-tampering techniques.
How Jscrambler works
Jscrambler's core product centers itself around protecting first-party JavaScript code by transforming it through obfuscation. This makes the code more difficult to reverse-engineer or steal. It's main use is to protect companies scripts with sensitive logic in the frontend such as proprietary algorithms, licensing enforcement, or in-browser app logic. However, JS obfuscation is not a silver bullet. Executions in the browser are still leveraging APIs and executing certain actions which can still be monitored regardless of the obfuscation techniques used. There is also a whole community built around deobfuscation tools.
LLM's are increasingly getting better at deobfuscation JavaScript or at the very least contextualizing its actions based on the code itself.
Our own product cside uses LLMs in real-time to analyze script contents both obfuscated and deobfuscated to look for malicious patterns.
For actual client-side executions Jscrambler offers a feature to lock client-side functionality. Their “code locks” features allow developers to restrict where and when the code can run (e.g., on a specific domain or time window).
Their runtime protections aim to detect tampering and debugging, but they are self-contained.
This method most crucially places all detections in the browser, making an ideal sandbox for an attacker to develop an attack that circumvents their detection methods or locks. And in the world of JavaScript, there are 100 ways to get from a to b, so bypasses are common and relying solely on client-side detections is unable to fight off the more invested bad actors.
Jscrambler can not show you the script contents, because it doesn't track script contents at all. This makes it hard to perform any level of forensics on an attack as bad actors often sample their attacks making it hard or even impossible to obtain the malicious script contents after.
Not fully protected
One of the key issues with the Jscrambler client-side approach is that by design, they don't know what they don't catch. Any attack that successfully avoids their client-side hooks goes unseen and undetected making it much harder to improve detection capabilities and giving no ability to perform forensics.
On top of that, the client-side detections run client-side. Making it very easy for a bad actor to find ways to circumvent them. And unfortunately, they do constantly as we explained in our blogpost about bypass methods used in the wild.
Think of playing Minesweeper but with the bombs exposed.
“Bad actors that target large brands will try to reverse engineer what security is present. Client-side security suffers especially badly from this if the detections are solely done client-side. The result is simple: it's like playing minesweeper with the bombs exposed. Client-side security can not solely rely on client-side monitoring.”
— Simon Wijckmans, CEO, cside
How cside goes further
The cside team has substantial experience in client-side security. Throughout our experiences we identified that bad actors are operating at a level of sophistication that takes the upper hand over some security approaches. If the reward is high, any gap in a security detection model is an opportunity for a bad actor.
Given browsers specification limitations for client-side security, we’ve had to get creative which is why we approached client-side security in a unique way.
- Direct Mode - Easiest: We check script behaviors in the browser and fetch the scripts on our side. We then verify we got the same script. We don't place ourselves in the path of a script unless you explicitly ask us to. Just one script to add to the site, it takes seconds.
- Gatekeeper Mode - Safest: We check script behaviors and cside places itself in the middle between the uncontrolled third-party and the end user - only script you didn't already trust. Just one script to add to the site, it takes seconds.
- Scan mode - Fastest: If you can't add a script to the site, cside will scan it. We will use the cside threat intel gathered by thousands of other websites with combined billions of visitors to help secure your site the best you can.
The mix of the above brings us closest to full coverage technically possible today.
As a nice side piece, with some of the approaches we have taken we were able to make websites faster depending on the scripts on the webpage. Placing a solution in the middle only makes things slower if they are already fully optimized, which is often not the case.
With this cside helps companies achieve compliance, whether its security or privacy focussed.
Cside actively contributes to the W3C in the hopes of creating attention to client-side security. Aiming to make adjustments to the browser specification to allow for fully bulletproof client-side security.
At cside, we capture attacks. If you are reading this blogpost, you are likely a sufficiently high value target for a bad actor to invest some level of mental capacity to inspect how your web security works. It is better to be safe and assume a bad actor will attempt to bypass security solutions you use. So use solutions that think a step ahead.
Sign up or book a demo to get started.
