Google unleashes tame botnet to hunt XSS in cloudy code

Security scanner spawns hordes of attackers to probe you in all sorts of ways ...

Close-up of the flu virus (artist's impression) - Shutterstock

Google has unleashed its own application security scanner, potentially rescuing admins from 'fiddly' existing offerings.

The scanner will check code running in App Engine for cross-site scripting (XSS) and mixed content vulnerabilities.

Choc Factory engineering head Rob Mann says its scanner uses its Compute Engine to forge a large botnet that scan at a max rate of 20 requests a second stopping at 100,000 requests for large scans.

"Cloud Security Scanner addresses the weaknesses of [real and emulated browsers] by using a multi-stage pipeline," Mann says.

"As with all dynamic vulnerability scanners, a clean scan does not necessarily mean you're security bug free.

"We still recommend a manual security review by your friendly web app security professional."

Mann says the tool aims to detect the most common issues devs face while working with Javascript-soaked apps.

It will flag mixed content by passively observing HTTP traffic for Javascript or CSS requests run over HTTP in the context of an HTTPS page.

Mann says the scanner was different from established popular players "prone to over-reporting" in that it is tailored for Google App devs rather than security boffins and is easier to set up.

Its approach mean false positives are nearly absent and the process requires low effort and produces minimal noise at the cost of missing some application specific bugs.

Devs can access the scanner under Compute > App Engine > Security in Google's Developers Console. It does not work with App Engine Managed VMs, Google Compute Engine, or other resources. ®




Biting the hand that feeds IT © 1998–2018