Using Web Security Scanner

This page describes how to use Web Security Scanner to scan your Google Cloud applications. Web Security Scanner works with App Engine, Compute Engine, or Google Kubernetes Engine (GKE).

Before you scan

Before you scan, carefully audit your application for any feature that may affect data, users, or systems beyond the desired scope of your scan.

Because Web Security Scanner populates fields, pushes buttons, clicks links, and other interaction, you should use it with caution. Web Security Scanner might activate features that change the state of your data or system, with undesirable results. For example:

  • In a blog application that allows public comments, Web Security Scanner might post test strings as comments on all your blog articles.
  • In an email sign-up page, Web Security Scanner might generate large numbers of test emails.

For tips about how to minimize risk, see best practices to prevent unintended consequences.

Setting up a scan

Step 1: Creating a test account

When you scan your app, it's best to use a test account that doesn't have access to sensitive data or harmful operations. The test account must have the Cloud Identity and Access Management (Cloud IAM) Owner or Editor role on the App Engine, Compute Engine, or GKE instance that you want to scan. Learn more about the Cloud IAM roles available for Web Security Scanner on the access control page.

To create a test account and add necessary permissions:

  1. Create a test user account in your organization.
  2. Go to the IAM & Admin page in the Cloud Console.
    Go to the IAM & Admin page
  3. Click Select, and then select the project that contains the application that you want to scan.
  4. On the IAM page, click Add.
  5. On the Add members panel that appears, in the New members box, enter the email address of your test account.
  6. On the Select a role drop-down list, select Project > Editor or Project > Owner.
  7. Click Save.

You can now create a scan, and then use the test account to scan data.

Step 2: Creating a scan

  1. Go to the Web Security Scanner page in the Cloud Console.
    Go to the Web Security Scanner page
  2. Click Select, and then select a project that already has an App Engine, Compute Engine, or GKE application deployed.
  3. To display the new scan form, click Create scan or New scan.
  4. To add values to the new scan form, use the following table as a guide:
    Field Description
    Starting URLs

    A simple site usually requires only one starting URL, like the home, main, or landing page for the site, from which Web Security Scanner can find all other site pages. However, Web Security Scanner might not find all of the pages if a site has:

    • A lot of pages
    • Islands of unconnected pages
    • Navigation that requires complex JavaScript like a mouseover-driven multilevel menu

    In such cases, specify more starting URLs to increase scan coverage.

    Excluded URLs To reduce complexity, exclusions are defined using a simplified proto-language using one or more * wildcards, instead of requiring a valid regular expression. For details and sample valid patterns, see Excluding URLs in Scans
    Google accounts

    You can create a test account in Gmail and then use the account to scan your product. If you are a Google Apps customer, you can create test accounts within your domain, for example, test-account@yourdomain.com. In Web Security Scanner, these accounts work like Gmail accounts. Two factor authentication is not supported.

    Google enforces a real name policy on Google accounts. If the name on your test account doesn't look real, the account might be blocked.

    Non-Google accounts

    Select this option if you have created your own authentication system and you aren't using Google Account services. Specify the login form's URL, the username, and the password. These credentials are used to sign in to your application and scan it.

    Support for login forms is still in development, and might not work by default with your system.

    Schedule You can set the scan to run daily, weekly, every two weeks, or every four weeks. It's best to create a scheduled scan to ensure that future versions of your application are tested. Also, because we occasionally release new scanners that find new bug types, running a scheduled scan offers more coverage without manual effort.
  5. When you're finished adding values, click Create. You can now run the new scan.

Web Security Scanner uses randomly assigned IP addresses during each run. There isn't a predictable IP address to add to firewalls to let the scanner through.

Step 3: Running a scan

To run a scan:

  1. Sign in to the test account that you used to create the scan.
  2. Go to the Web Security Scanner page in the Cloud Console.
    Go to the Web Security Scanner page
  3. Click Select, and then select the project that you created the scan in.
  4. Under Scan configs, click the name of the scan that you want to run.
  5. On the scan details page, click Run.

The scan is placed in a queue, and there might be a delay before it runs. It can take several minutes or many hours to run, depending on the system load and features like:

  • Site complexity
  • Number of actionable elements per page
  • Number of links
  • The amount of JavaScript on the site, including navigation

You can set up and run up to 10 different scans before you need to delete or clean up previously saved results.

Viewing scan results

The status and results of a scan are displayed on the scan details page in the Cloud Console. To view scan results:

  1. Sign in to the test account that you used to create the scan.
  2. Go to the Web Security Scanner page in the Cloud Console.
    Go to the Web Security Scanner page
  3. Click Select, and then select the project that contains the scan that you want to review.
  4. Under Scan configs, click the name of the scan that you want to review.

The scan details page loads and displays results from the most recent scan. If a scan is in progress, the Results tab displays the current completion percent. To display results from previous scans, select the scan date and time from the drop-down list.

Details for completed scans include:

  • The Results tab displays a list of vulnerabilities the scan found, if any.
  • The URLs crawled tab displays a list of URLs that the scan checked.
  • The Details tab includes:
    • Starting URLs
    • Authentication
    • User agent
    • Maximum scan speed as queries per second (QPS)

You can find more information about the scan in the project logs page.

Editing a scan

To edit a scan:

  1. Sign in to the test account that you used to create the scan.
  2. Go to the Web Security Scanner page in the Cloud Console.
    Go to the Web Security Scanner page
  3. Click Select, and then select the project that contains the scan that you want to edit.
  4. Under Scan configs, click the name of the scan that you want to edit.
  5. On the scan details page that appears, click Edit.
  6. On the Editing [scan name] page that appears, make the changes that you want, and then click Save.

The edited scan runs when it's next scheduled, or you can manually run it to get updated results.

Deleting a scan

To delete one or more scans:

  1. Sign in to the test account that you used to create the scan.
  2. Go to the Web Security Scanner page in the Cloud Console.
    Go to the Web Security Scanner page
  3. Click Select, and then select the project that contains the scan that you want to edit.
  4. Under Scan configs select the checkbox next to one or more scans that you want to delete.
  5. Click Delete, and then click Ok.

All of the scans that you selected are deleted.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Web Security Scanner Documentation