[Owasp-leaders] [Owasp-community] Google Cloud Security Scanner

Mario Robles mario.robles at owasp.org
Thu Aug 13 17:08:47 UTC 2015


    Vulnerability detection

The Security Scanner tests for cross-site scripting vulnerabilities,
mixed content, and certain other custom conditions described in the
following sections.


      Cross-site scripting

The scanner's cross-site script (XSS) injection test simulates an
injection attack by inserting a benign test string into user-editable
fields and performing a variety of user actions. Custom detectors
observe the browser and DOM during this test to determine whether an
injection was successful and assess its potential for exploitation.


      Mixed Content

The scanner passively observes the HTTP traffic and detects when a
request for a JavaScript or CSS file is performed over HTTP while in the
context of an HTTPS page.


      List of custom detectors

The enabled detectors and their firing conditions are listed here:

Detector 	Detection condition
XSS_DEBUG 	The Chrome webtools debugger was successfully called via an
XSS in the application under test.
XSS_ERROR 	The Chrome javascript parser detected a syntax error caused
by the test request.
XSS_FLASH_INJECTION 	The application produced a JSONP response where the
user can influence the beginning of the response.
MIXED_CONTENT 	Chrome has performed a request to an HTTP script or CSS
while in an HTTPS page.


	Mario

n 13/08/2015 10:58 a.m., Eoin Keary wrote:
> No DOM XSS coverage either I believe.
>
>
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
>
>
>
> On 13 Aug 2015, at 16:40, Azzeddine Ramrami
> <azzeddine.ramrami at owasp.org <mailto:azzeddine.ramrami at owasp.org>> wrote:
>
>> It is a marketing and sales pipo.
>> They mention OWASP TOP 10 but really they do a small XSS scann not
>> all XSS types
>>
>> On Thu, Aug 13, 2015 at 4:31 PM, Eoin Keary <eoin.keary at owasp.org
>> <mailto:eoin.keary at owasp.org>> wrote:
>>
>>     XSS only last time I looked.
>>
>>     Eoin Keary
>>     OWASP Volunteer
>>     @eoinkeary
>>
>>
>>
>>     On 13 Aug 2015, at 14:53, Noreen Whysel <noreen.whysel at owasp.org
>>     <mailto:noreen.whysel at owasp.org>> wrote:
>>
>>>     Wow. They refer to the OWASP Top Ten to learn more about
>>>     security. I supposed they must have based their scan on the Top Ten?
>>>
>>>     Noreen Whysel
>>>     Community Manager
>>>     OWASP Foundation
>>>
>>>     On Thu, Aug 13, 2015 at 9:38 AM, Fabio Cerullo
>>>     <fcerullo at owasp.org <mailto:fcerullo at owasp.org>> wrote:
>>>
>>>         Just came across this:
>>>
>>>         https://cloud.google.com/security-scanner
>>>
>>>         Has anyone used it?
>>>
>>>         Thanks,
>>>
>>>
>>>         Fabio Cerullo
>>>         Global Board Member
>>>         OWASP Foundation
>>>         https://www.owasp.org
>>>         Join me at AppSecUSA 2015 <https://2015.appsecusa.org> in
>>>         San Francisco!
>>>
>>>
>>>         _______________________________________________
>>>         OWASP-Leaders mailing list
>>>         OWASP-Leaders at lists.owasp.org
>>>         <mailto:OWASP-Leaders at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>     _______________________________________________
>>>     OWASP-Leaders mailing list
>>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>     _______________________________________________
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>> -- 
>> Azzeddine RAMRAMI
>> +33 6 65 48 90 04.
>> Enterprise Security Architect
>> OWASP Leader (Morocco Chapter)
>> Mozilla Security Projects Mentor
>
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150813/2eeaf7a7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150813/2eeaf7a7/attachment-0001.pgp>


More information about the OWASP-Leaders mailing list