Note: This feature is available for the Security Command Center Enterprise, Premium, and Standard tiers, though some functionality may be limited in the Premium or Standard tier.
Web Security Scanner identifies security vulnerabilities and misconfigurations in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications. It crawls your application, following all links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handlers as possible. Web Security Scanner only supports public URLs and IPs that aren't behind a firewall.
Web Security Scanner supports the App Engine standard environment and App Engine flexible environments, Compute Engine instances, and GKE resources.
Web Security Scanner is designed to complement your existing secure design and development processes. To avoid distracting you with false positives, Web Security Scanner errs on the side of under reporting and doesn't display low confidence alerts. It does not replace a manual security review, and it does not guarantee that your application is free from security flaws.
Note: Google may use aggregated and anonymized data to improve the performance of Web Security Scanner and to analyze web vulnerability trends. Google won't share information on specific issues or the security state of a scanned website with any third party.Findings categorized as misconfigurations represent issues that can be resolved through customer action by updating configurations. Although these findings are important for improving security posture, they are distinct from vulnerabilities, which represent actively exploitable weaknesses. You can view these misconfigurations on the Findings page of Security Command Center. For more information, see Web Security Scanner misconfiguration findings.
Caution: Web Security Scanner can adversely affect the reliability of some applications and might not be suitable for use in a production environment. Also, Web Security Scanner cannot detect all possible vulnerabilities in an application. For more information, see the following:
Scan typesWeb Security Scanner provides managed and custom web vulnerability scanning for public App Engine, GKE, and Compute Engine serviced web applications.
Managed scans Premium and Enterprise service tiersWeb Security Scanner managed scans are configured and managed by Security Command Center. Managed scans automatically run once each week to detect and scan public web endpoints. These scans don't use authentication and they send GET-only requests so they don't submit any forms on live websites.
Managed scans run separately from custom scans.
If Security Command Center is activated at the organization level, you can use managed scans to centrally manage basic web application vulnerability detection for projects in your organization, without having to involve individual project teams. When findings are discovered, you can work with those teams to set up more comprehensive custom scans.
When you enable Web Security Scanner as a service, managed scan findings are automatically available in the Security Command Center Vulnerabilities page and related reports. For information about how to enable Web Security Scanner managed scans, see Configure Security Command Center services.
Managed scans support only applications that use the default port, which is 80 for HTTP connections and 443 for HTTPS connections. If your application uses a non-default port, do a custom scan instead.
Custom scans Standard, Premium, and Enterprise service tiersWeb Security Scanner custom scans provide granular information about application vulnerability findings, like outdated libraries, cross-site scripting, or use of mixed content.
You define custom scans at the project level.
Custom scan findings are available in Security Command Center after you complete the guide to set up Web Security Scanner custom scans.
Scan findingsThis section describes Web Security Scanner finding types and relevant compliance standards.
Note: Attack path simulations don't support Web Security Scanner findings, so the findings don't get attack exposure scores or attack paths. Detectors and complianceWeb Security Scanner supports categories in the OWASP Top Ten, a document that ranks and provides remediation guidance for the top 10 most critical web application security risks, as determined by the Open Web Application Security Project (OWASP).
Note: The category A09:2021 Security Logging and Monitoring Failures (previously A10:2017 Insufficient Logging & Monitoring) is not supported. This category describes insufficiencies that allow attackers to remain undetected. Unlike the other nine OWASP categories, it doesn't pertain to specific vulnerabilities that attackers can exploit. Similarly, Web Security Scanner can't attack web applications to provoke a detectable response. The issues included in this category require human judgment.The compliance mapping is included for reference and is not provided or reviewed by the OWASP Foundation. It's only intended for you to monitor for compliance controls violations. The mappings are not provided for use as the basis of, or as a substitute for, the audit, certification, or report of compliance of your products or services with any regulatory or industry benchmarks or standards.
For more information about compliance, see Assess and report security benchmark compliance.
Finding typesWeb Security Scanner custom and managed scans identify the following finding types. In the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IPs that aren't behind a firewall.
Category Finding description Finding Category OWASP 2017 Top 10 OWASP 2021 Top 10Accessible Git repository
Category name in the API: ACCESSIBLE_GIT_REPOSITORY
A Git repository is exposed publicly. To resolve this finding, remove unintentional public access to the GIT repository.
Pricing tier: Premium or Standard
Vulnerability A5 A01Accessible SVN repository
Category name in the API: ACCESSIBLE_SVN_REPOSITORY
An SVN repository is exposed publicly. To resolve this finding, remove public unintentional access to the SVN repository.
Pricing tier: Premium or Standard
Vulnerability A5 A01Accessible ENV File
Category name in the API: ACCESSIBLE_ENV_FILE
An ENV file is exposed publicly. To resolve this finding, remove public unintentional access to the ENV file.
Pricing tier: Premium or Standard
Vulnerability A5 A01Cacheable password input
Category name in the API: CACHEABLE_PASSWORD_INPUT
Passwords entered on the web application can be cached in a regular browser cache instead of a secure password storage.
Pricing tier: Premium
Vulnerability A3 A04Clear text password
Category name in the API: CLEAR_TEXT_PASSWORD
Passwords are being transmitted in clear text and can be intercepted. To resolve this finding, encrypt the password transmitted over the network.
Pricing tier: Premium or Standard
Vulnerability A3 A02Insecure allow origin ends with validation
Category name in the API: INSECURE_ALLOW_ORIGIN_ENDS_WITH_VALIDATION
A cross-site HTTP or HTTPS endpoint validates only a suffix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected root domain is part of the Origin header value before reflecting it in the Access-Control-Allow-Origin response header. For subdomain wildcards, prepend the dot to the root domain—for example, .endsWith(".google.com").
Pricing tier: Premium
Vulnerability A5 A01Insecure allow origin starts with validation
Category name in the API: INSECURE_ALLOW_ORIGIN_STARTS_WITH_VALIDATION
A cross-site HTTP or HTTPS endpoint validates only a prefix of the Origin request header before reflecting it inside the Access-Control-Allow-Origin response header. To resolve this finding, validate that the expected domain fully matches the Origin header value before reflecting it in the Access-Control-Allow-Origin response header—for example, .equals(".google.com").
Pricing tier: Premium
Vulnerability A5 A01Invalid content type
Category name in the API: INVALID_CONTENT_TYPE
A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this finding, set X-Content-Type-Options HTTP header with the correct value.
Pricing tier: Premium or Standard
Vulnerability A6 A05Category name in the API: INVALID_HEADER
A security header has a syntax error and is ignored by browsers. To resolve this finding, set HTTP security headers correctly.
Pricing tier: Premium or Standard
Vulnerability A6 A05Category name in the API: MISMATCHING_SECURITY_HEADER_VALUES
A security header has duplicated, mismatching values, which result in undefined behavior. To resolve this finding, set HTTP security headers correctly.
Pricing tier: Premium or Standard
Vulnerability A6 A05Category name in the API: MISSPELLED_SECURITY_HEADER_NAME
A security header is misspelled and is ignored. To resolve this finding, set HTTP security headers correctly.
Pricing tier: Premium or Standard
Vulnerability A6 A05Mixed content
Category name in the API: MIXED_CONTENT
Resources are being served over HTTP on an HTTPS page. To resolve this finding, make sure that all resources are served over HTTPS.
Pricing tier: Premium or Standard
Vulnerability A6 A05Outdated library
Category name in the API: OUTDATED_LIBRARY
A library was detected that has known vulnerabilities. To resolve this finding, upgrade libraries to a newer version.
Pricing tier: Premium or Standard
Vulnerability A9 A06Server side request forgery
Category name in the API: SERVER_SIDE_REQUEST_FORGERY
A server-side request forgery (SSRF) vulnerability was detected. To resolve this finding, use an allowlist to limit the domains and IP addresses that the web application can make requests to.
Pricing tier: Premium or Standard
Vulnerability Not applicable A10Session ID leak
Category name in the API: SESSION_ID_LEAK
When making a cross-domain request, the web application includes the user's session identifier in its Referer request header. This vulnerability gives the receiving domain access to the session identifier, which can be used to impersonate or uniquely identify the user.
Pricing tier: Premium
Vulnerability A2 A07SQL injection
Category name in the API: SQL_INJECTION
A potential SQL injection vulnerability was detected. To resolve this finding, use parameterized queries to prevent user inputs from influencing the structure of the SQL query.
Pricing tier: Premium
Vulnerability A1 A03Struts insecure deserialization
Category name in the API: STRUTS_INSECURE_DESERIALIZATION
The use of a vulnerable version of Apache Struts was detected. To resolve this finding, upgrade Apache Struts to the latest version.
Pricing tier: Premium
Vulnerability A8 A08XSS
Category name in the API: XSS
A field in this web application is vulnerable to a cross-site scripting (XSS) attack. To resolve this finding, validate and escape untrusted user-supplied data.
Pricing tier: Premium or Standard
Vulnerability A7 A03XSS angular callback
Category name in the API: XSS_ANGULAR_CALLBACK
A user-provided string isn't escaped and AngularJS can interpolate it. To resolve this finding, validate and escape untrusted user-supplied data handled by Angular framework.
Pricing tier: Premium or Standard
Vulnerability A7 A03XSS error
Category name in the API: XSS_ERROR
A field in this web application is vulnerable to a cross-site scripting attack. To resolve this finding, validate and escape untrusted user-supplied data.
Pricing tier: Premium or Standard
Vulnerability A7 A03XXE reflected file leakage
Category name in the API: XXE_REFLECTED_FILE_LEAKAGE
An XML External Entity (XXE) vulnerability was detected. This vulnerability can cause the web application to leak a file on the host. To resolve this finding, configure your XML parsers to disallow external entities.
Pricing tier: Premium
Vulnerability A4 A05Prototype pollution
Category name in the API: PROTOTYPE_POLLUTION
The application is vulnerable to prototype pollution. This vulnerability arises when properties of the Object.prototype object can be assigned attacker-controllable values. Values planted on these prototypes are universally assumed to translate into cross-site scripting, or similar client-side vulnerabilities, as well as logic bugs.
Pricing tier: Premium or Standard
Vulnerability A1 A03Hsts Misconfiguration
Category name in the API: HSTS_MISCONFIGURATION
A misconfigured HTTP Strict Transport Security (HSTS) header was detected. To significantly reduce the risk of downgrading and eavesdropping attacks on HTTP connections, resolve the misconfigured HSTS header. HSTS headers force connections through encrypted channels (TLS) so that plaintext HTTP connections fail. Find out more about HSTS headers build
Pricing tier: Premium
Misconfiguration Not applicable Not applicableCategory name in the API: CSP_MISSING
A missing Content Security Policy (CSP) HTTP response header was detected. CSP headers mitigate the exploitation of common web vulnerabilities, particularly cross-site scripting XSS, by preventing untrusted scripts or plugins from being loaded. A strict CSP header is recommended. Find out more about CSP headers build
Pricing tier: Premium
Misconfiguration Not applicable Not applicableCategory name in the API: CSP_MISCONFIGURATION
A misconfigured Content Security Policy (CSP) HTTP response header was detected. CSP headers mitigate the exploitation of common web vulnerabilities, particularly cross-site scripting XSS, by preventing untrusted scripts or plugins from being loaded. A strict CSP header is recommended. Learn more about CSP headers build
Pricing tier: Premium
Misconfiguration Not applicable Not applicableCategory name in the API: COOP_MISSING
A missing Cross-Origin-Opener-Policy (COOP) HTTP header was detected. COOP is a web security mechanism that restricts a page opened in a new window from accessing the properties from its originating page. COOP offers a strong layer of protection against common web attacks.
Pricing tier: Premium
Misconfiguration Not applicable Not applicableClickjacking Protection Missing
Category name in the API: CLICKJACKING_PROTECTION_MISSING
A missing response header was detected. To prevent clickjacking, implement an HTTP response header like an X-Frame-Option (XFO) or Content-Security-Policy (CSP). Clickjacking(also called UI Redress) is a web attack where attackers modify the interface of a target website so victims don’t realize they are taking an important action. Implementing an HTTP response header is recommended: XFO headers are easy to use; CSP headers provide more flexibility.
- Learn more about XFO headers build
- Learn more about CSP headers build
Pricing tier: Premium
Misconfiguration Not applicable Not applicable Usage caveatsThe IAM roles for Security Command Center can be granted at the organization, folder, or project level. Your ability to view, edit, create, or update findings, assets, and security sources depends on the level for which you are granted access. To learn more about Security Command Center roles, see Access control.
Other important things to be aware of when using Web Security Scanner:
For information about the Identity and Access Management (IAM) roles that are available for Web Security Scanner, see Access control.
How much time is required for a security scan?The security scan does not execute immediately. It is queued and then executes later, possibly hours later depending on system load. After the scan starts to execute, the time it takes will depend on the size of your application. A scan of a large application with many URLs can take several hours, or even days. If a scan has not completed within 20 days, the scan is automatically stopped, and all crawl results and findings found during the scan will be visible as the scan result.
Target restrictionsWeb Security Scanner has filters in place that restrict scan targets to the specific App Engine instance for which the scan is created. Entering URLs for a different App Engine project or an outside domain will result in an error message.
Important: Attempting to subvert or in any way direct traffic to out-of-scope URLs is a violation of the acceptable use policy.Scans for Compute Engine and GKE are restricted to domains that map to static external IP addresses reserved for the same project and static external IP addresses that belong to the same project. For instructions on reserving IP addresses for projects, see the following links:
Compute Engine: Reserving a static external IP address
App Engine does not provide a way to map static IP addresses to an application. However, you can use Cloud Load Balancing and serverless network endpoint groups to reserve a static IP address for your load balancer, which then directs traffic to your application. For information about pricing, see All networking pricing.
Within your project, the Web Security Scanner automatically attempts to avoid logout URLs and other generic locations that may adversely affect a scan. However, to be sure, you can use the scan settings to manually exclude URLs.
ValidationScan configurations are validated when they are created and before each scan. Web Security Scanner checks Security Command Center settings and your application's authentication credentials to ensure scans are configured correctly and can log into your application successfully. Configuration parameters, including maximum scan speed, are also checked to ensure they are within supported ranges.
You must resolve errors before a scan is created or updated. Applications that are changed after initial configuration may produce errors during scans. For example, if a domain no longer points to an IP address owned by the project, the resource is not scanned and an error is reported on the scan configuration page.
Best practicesBecause Web Security Scanner populates fields, pushes buttons, clicks links, and performs other user actions, you should use it with caution, particularly if you are scanning production resources. Web Security Scanner could potentially activate features that change the state of your data or system, with undesirable results.
For example:
Following are some techniques that you can use, separately or in combination, to avoid unwanted outcomes:
inq-no-click. Event handlers that are attached to this element aren't activated during crawling and testing, regardless of whether they are inline JavaScript, or attached using addEventListener, or attached by setting the appropriate event handler property.Before you scan, carefully audit your application for any feature that might affect data, users, or systems beyond the scope of your scan.
What's nextRetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4