Scan result details

This page describes the details of scan results for Web Security Scanner, how to interpret results, and results impact on logs.

Vulnerability classes

Web Security Scanner detects the following classes of vulnerabilities:

  • Cross-site scripting (XSS)
  • Flash injection
  • Mixed-content
  • Clear text passwords
  • Use of insecure JavaScript libraries

If any of these are found, then the result is highlighted for you to explore in detail.

findingType string values

The table below describes the valid string values for the findingType field in a Web Security Scanner} Finding resource. The Finding resource represents a vulnerability instance identified during a ScanRun, and the findingType field indicates the type of the vulnerability.

New findingType values are introduced when a vulnerability is added by Google Cloud. New vulnerability types can be added without an update to the existing APIs. This page will be updated whenever a new findingType value is introduced. Changes to the list of valid values will always be noted in the Release notes page.

findingType string Description
MIXED_CONTENT A page that was served over HTTPS also resources over HTTP. A man-in-the-middle attacker could tamper with the HTTP resource and gain full access to the website that loads the resource or to monitor the actions taken by the user.
OUTDATED_LIBRARY The version of an included library is known to contain a security issue. The scanner checks the version of library in use against a known list of vulnerable libraries. False positives are possible if the version detection fails or if the library has been manually patched.
ROSETTA_FLASH The value of a request parameter is reflected at the beginning of the response, for example, in requests using JSONP. Under certain circumstances, an attacker might be able to supply an alphanumeric-only Flash file in the vulnerable parameter. This can cause the browser to execute the Flash file as if it originated on the vulnerable server.
XSS An XSS bug is found via JavaScript callback. For detailed information, see Cross-site scripting.
XSS_ERROR A potential XSS bug due to JavaScript breakage. In some circumstances, the application under test might modify the test string before it is parsed by the browser. When the browser tries to run this modified test string, it is likely to break and throw a JavaScript execution error. This is an injection issue, but it might not be possible to exploit it. You need to manually verify if the test string modifications can be evaded to confirm if the issue is an XSS vulnerability. For detailed information, see Cross-site scripting.
CLEAR_TEXT_PASSWORD An application appears to be transmitting a password field in clear text. An attacker can eavesdrop network traffic and sniff the password field.
INVALID_CONTENT_TYPE An application returns sensitive content with an invalid content type, or without an X-Content-Type-Options: nosniff header.
XSS_ANGULAR_CALLBACK An XSS vulnerability in AngularJS module that occurs when a user-provided string is interpolated by Angular.
INVALID_HEADER A malformed or invalid valued header.
MISSPELLED_SECURITY_HEADER_NAME Misspelled security header name.
MISMATCHING_SECURITY_HEADER_VALUES Mismatching values in a duplicate security header.
ACCESSIBLE_GIT_REPOSITORY The scan found an accessible git repository.
ACCESSIBLE_SVN_REPOSITORY The scan found an accessible SVN repository.

Impact on logs

Traces of Web Security Scanner scans appear in your log files. For example, Web Security Scanner generates requests for unusual strings like ~sfi9876 and /sfi9876. This enables the scan to examine your application's error pages. These intentionally invalid page requests will appear in your logs.