This page describes the details of scan results for Cloud Security Scanner.
Cloud Security Scanner cross-site script (XSS) injection testing simulates an injection attack by inserting a benign test string into user-editable fields and performing a variety of user actions. Custom detectors observe the browser and DOM during this test to determine whether an injection was successful and assess its potential for exploitation.
Following is an example of an XSS alert in the vulnerable parameter
have an injection issue is shown below.
There are various ways to fix this problem. The recommended way is to escape all output and using a templating system that supports contextual auto-escaping.
Cloud Security Scanner may find a parameter that is reflected back at the beginning of a response. This is also known as Rosetta Flash. Under certain circumstances, an attacker may cause the browser to execute the response as if it were a Flash file provided by the vulnerable web application.
Following is an example of a Flash injection alert in the parameter
To fix this, don't include user controllable data at the start of an HTTP response.
Following is an example of a mixed content alert in an HTTPS page
attribute_script, including an HTTP resource from
To fix this, use relative HTTP links, for example, replace
Cloud Security Scanner may find that the version of an included library is known to contain a security issue. This is a signature-based scanner that attempts to identify the version of the library in use and checks this against a known list of vulnerable libraries. False positives are possible if the version detection fails or if the library has been manually patched.
Following is an example of an outdated library alert due to the use of
Fix this by updating to a known secure version of the included library.
Clear Text Password
Cloud Security Scanner might find that the application appears to be transmitting a password field in clear text.
Following is an example of a clear text password alert.
To protect sensitive information that passes between client and server, take the following precautions:
- Use TLS/SSL certificates.
- Always use HTTPS on pages that include password fields.
- Make sure that form action attributes always point to an HTTPS URL.
Invalid Content-Type Header
Cloud Security Scanner might find that a resource that was loaded and doesn't match the response's Content-Type HTTP header.
Following is an example of an invalid Content-Type header alert.
To fix this vulnerability, ensure that:
- JSON responses are served with the Content-Type header
- Other sensitive responses are served with appropriate MIME types
- Serve content with the HTTP header
Verify the issue
When Cloud Security Scanner reports an issue, you'll need to verify the issue's location. Do this with a browser that has XSS protection turned off. It's best to use a separate test instance of Chrome, but you can use most modern browsers that allow you to disable XSS protection.
To disable XSS protection in Chrome:
If you use Linux, invoke the Linux Chrome command as follows:
chrome --user-data-dir=~/.chrometest --allow-running-insecure-content \ --disable-xss-auditor --disable-sync --bwsi
If you use Mac OSX, invoke the Chrome command as follows:
open -n /Applications/Google\ Chrome.app/ --args --disable-xss-auditor \ --user-data-dir=/tmp/xssrepro