Scan result details

This page describes the details of scan results for Cloud Security Scanner.

Vulnerability classes

Cloud Security Scanner detects the following classes of vulnerabilities: XSS, Flash injection, mixed-content, clear text passwords, and usage of insecure JavaScript libraries. If any of these are found, then the result is highlighted for you to explore in detail.

findingType string values

The table below describes the valid string values for the findingType field in a Cloud Security Scanner Finding resource. The Finding resource represents a vulnerability instance identified during a ScanRun, and the findingType field lets you know the type of the vulnerability.

New findingType values are introduced when a vulnerability is added by Google Cloud Platform, and such an update can occur without an update to the existing APIs. This page will be updated whenever a new findingType value is introduced. Changes to the list of valid values will always be noted in the Release Notes page.

findingType string Description
MIXED_CONTENT A page that was served over HTTPS also resources over HTTP. A man-in-the-middle attacker could tamper with the HTTP resource and gain full access to the website that loads the resource or to monitor the actions taken by the user.
OUTDATED_LIBRARY The version of an included library is known to contain a security issue. The scanner checks the version of library in use against a known list of vulnerable libraries. False positives are possible if the version detection fails or if the library has been manually patched.
ROSETTA_FLASH This type of vulnerability occurs when the value of a request parameter is reflected at the beginning of the response, for example, in requests using JSONP. Under certain circumstances, an attacker may be able to supply an alphanumeric-only Flash file in the vulnerable parameter causing the browser to execute the Flash file as if it originated on the vulnerable server.
XSS_CALLBACK A cross-site scripting (XSS) bug is found via JavaScript callback. For detailed explanations on XSS, see https://www.google.com/about/appsecurity/learning/xss/.
XSS_ERROR A potential cross-site scripting (XSS) bug due to JavaScript breakage. In some circumstances, the application under test might modify the test string before it is parsed by the browser. When the browser attempts to runs this modified test string, it will likely break and throw a JavaScript execution error, thus an injection issue is occurring. However, it may not be exploitable. Manual verification is needed to see if the test string modifications can be evaded and confirm that the issue is in fact an XSS vulnerability. For detailed explanations on XSS, see https://www.google.com/about/appsecurity/learning/xss/.
CLEAR_TEXT_PASSWORD An application appears to be transmitting a password field in clear text. An attacker can eavesdrop network traffic and sniff the password field.
INVALID_CONTENT_TYPE An application returns sensitive content with an invalid content type, or without an 'X-Content-Type-Options: nosniff' header.
XSS_ANGULAR_CALLBACK A cross-site scripting (XSS) vulnerability in AngularJS module that occurs when a user-provided string is interpolated by Angular.
INVALID_HEADER A malformed or invalid valued header.
MISSPELLED_SECURITY_HEADER_NAME Misspelled security header name.
MISMATCHING_SECURITY_HEADER_VALUES Mismatching values in a duplicate security header.
ACCESSIBLE_GIT_REPOSITORY An accessible git repository was found by the scan.
ACCESSIBLE_SVN_REPOSITORY An accessible SVN repository was found by the scan.

Cross-site scripting

Cloud Security Scanner cross-site script (XSS) injection testing simulates an injection attack by inserting a benign test string into user-editable fields and performing a variety of user actions. Custom detectors observe the browser and DOM during this test to determine whether an injection was successful and assess its potential for exploitation.

If the JavaScript contained within the test string cleanly executes, it starts the Chrome debugger.

Following is an example of an XSS alert in the vulnerable parameter q=

Because the test string was able to execute, we now know that it's possible to inject and run JavaScript on this page. If an attacker found this issue, they could execute JavaScript of their choosing as the user (victim) who clicks on a malicious link.

In some circumstances, the application under test might modify the test string before it is parsed by the browser. For example, the application might validate the input or limit the size of a field. When the browser attempts to runs this modified test string, it will likely break and throw a JavaScript execution error. This indicates that an injection issue is occurring. However, it may not be exploitable. You will need to manually verify to see if the test string modifications can be evaded and confirm that the issue is in fact an XSS vulnerability.

There are various ways to fix this problem. The recommended way is to escape all output and using a templating system that supports contextual auto-escaping.

Angular Cross-site scripting

An XSS vulnerability in AngularJS modules can occur when a user-provided string is interpolated by Angular. Injecting user-provided values into an AngularJS interpolation can allow the following attacks:

  • An attacker can inject arbitrary code into the page rendered by browsers.
  • An attacker can perform actions on behalf of the victim browser in the page's origin.

Following is an example of a breakage alert that shows an Angular XSS injection issue.

To reproduce this potential vulnerability, follow the Reproduction URL link in the Google Cloud Platform Console after running the scan. This link will either directly open an alert dialog or inject the string "XSSDETECTED" to prove the attack can execute code. In the case of injection, you can open the developer tools of your browser and search for "XSSDETECTED" to find the exact position of the injection.

Flash injection

Cloud Security Scanner may find a parameter that is reflected back at the beginning of a response. This is also known as Rosetta Flash. Under certain circumstances, an attacker may cause the browser to execute the response as if it were a Flash file provided by the vulnerable web application.

Following is an example of a Flash injection alert in the parameter callback=

To fix this, don't include user controllable data at the start of an HTTP response.

Mixed Content

Cloud Security Scanner passively observes the HTTP traffic and detects when a request for a JavaScript or CSS file is performed over HTTP while in the context of an HTTPS page.

Following is an example of a mixed content alert in an HTTPS page attribute_script, including an HTTP resource from http://irrelevant.google.com

To fix this, use relative HTTP links, for example, replace http:// with //.

Outdated Library

Cloud Security Scanner may find that the version of an included library is known to contain a security issue. This is a signature-based scanner that attempts to identify the version of the library in use and checks this against a known list of vulnerable libraries. False positives are possible if the version detection fails or if the library has been manually patched.

Following is an example of an outdated library alert due to the use of jquery-1.8.1.js.

Fix this by updating to a known secure version of the included library.

Clear Text Password

Cloud Security Scanner might find that the application appears to be transmitting a password field in clear text.

To protect sensitive information that passes between client and server, take the following precautions:

  • Use TLS/SSL certificates.
  • Always use HTTPS on pages that include password fields.
  • Make sure that form action attributes always point to an HTTPS URL.

Invalid Content-Type Header

Cloud Security Scanner might find that a resource that was loaded and doesn't match the response's Content-Type HTTP header.

Following is an example of an invalid Content-Type header alert.

To fix this vulnerability, ensure that:

  • JSON responses are served with the Content-Type header application/json
  • Other sensitive responses are served with appropriate MIME types
  • Serve content with the HTTP header X-Content-Type-Options: nosniff

Invalid Security Header

Cloud Security Scanner might find that a security header has a syntax error. As a result, the header will be ignored by browsers.

Following is an example of an invalid security header finding.

Referrer-Policy header

A valid referrer policy contains one of the following values: the empty string, no-referrer, no-referrer-when-downgrade, same-origin, origin, strict-origin, origin-when-cross-origin, strict-origin-when-cross-origin, or unsafe-url.

X-Frame-Options header

A valid X-Frame-Options header can only have the values DENY (disallow all framing), SAMEORIGIN (allow framing if the top-level URL is same origin) or ALLOW-FROM URL. Note that ALLOW-FROM URL is not supported by Chrome. Also note that multiple X-Frame-Options are not allowed.

X-Content-Type-Options header

A valid X-Content-Type-Options header can only have one value: nosniff.

X-XSS-Protection header

A valid X-XSS-Protection header must start with either 0 ("disable") or 1 ("enable"). Then, only if you enable the protection, you can add up to two options: mode=block will show a blank page instead of filtering the XSS and report=URL will send reports to URL. Options need to be separated by semicolons like this: 1; mode=block; report=URI. Make sure you have no trailing semicolon.

Misspelled Security Header Name

Cloud Security Scanner might find a misspelled security header name. In its misspelled form, the security header is ineffective and must be fixed.

Following is an example of a misspelled security header name finding.

To reproduce this vulnerability, check for the misspelling in the network tab of your browser's developer tools.

Mismatching Security Header Values

Cloud Security Scanner might find that the response has duplicated, security-related response headers with conflicting values. Some security-related HTTP headers have undefined behavior if declared twice in the response with mismatching values.

Following is an example of a mismatching security header values finding.

To fix this vulnerability, please keep only one of these mismatching headers.

Accessible Repository

Cloud Security Scanner might find an accessible Git or SVN repository in the application. This may lead to configuration and source code leaks.

Following is an example of an accessible Git repository finding.

To reproduce the vulnerability, click the reproduction URL in the finding report.

Verify the issue

When Cloud Security Scanner reports an issue, you'll need to verify the issue's location. Do this with a browser that has XSS protection turned off. It's best to use a separate test instance of Chrome, but you can use most modern browsers that allow you to disable XSS protection.

To disable XSS protection in Chrome:

  • If you use Linux, invoke the Linux Chrome command as follows:

    chrome --user-data-dir=~/.chrometest --allow-running-insecure-content \ --disable-xss-auditor --disable-sync --bwsi

  • If you use Mac OSX, invoke the Chrome command as follows:

    open -n /Applications/Google\ Chrome.app/ --args --disable-xss-auditor \ --user-data-dir=/tmp/xssrepro

Note that Content Security Policy (CSP) enforcement might still prevent the JavaScript code from running. This can make it more difficult to reproduce the XSS. If you experience this issue, check the browser log console for details about the CSP violation that occurred.

هل كانت هذه الصفحة مفيدة؟ يرجى تقييم أدائنا:

إرسال تعليقات حول...

Cloud Security Scanner Documentation