Find hijackable external javascript sources

I was thinking of This story from a few years ago and decided to write a tool that will help protect against a similar occurrence.

The problem was that a call to a googleapis javascript source was misspelled to googleaspis, meaning someone could register that domain and serve up malicious javascript code.

My new tool js404 is a very fast and lightweight check to ensure that this won’t happen to your site.

Given a list of urls it will load each one and find any javascript calls that didn’t load. It’ll then strip these urls down to the domain and do a check to ensure that this domain is registered, if it isn’t it’ll write the invalid domain, full path to the intended javascript file and the URL affected to a user-specified file and stdout.

It’s not been a major issue from what I can see but it has been an interesting project to do, and it’s small part of a larger set of tools I have under development that doesn’t take much time to run.