Overview of Web Security Scanner
Note: This feature is available for the Security Command Center Enterprise, Premium, and Standard tiers, though some functionality may be limited in the Premium or Standard tier.
Web Security Scanner identifies security vulnerabilities andmisconfigurations in your App Engine, Google Kubernetes Engine (GKE), andCompute Engine web applications. It crawls your application, following alllinks within the scope of your starting URLs, and attempts to exercise as manyuser inputs and event handlers as possible. Web Security Scanner only supportspublic URLs and IPs that aren't behind a firewall.
Web Security Scanner supports the App Engine standard environment andApp Engine flexible environments, Compute Engine instances, andGKE resources.
Web Security Scanner is designed to complement your existing secure design anddevelopment processes. To avoid distracting you with false positives,Web Security Scanner errs on the side of under reporting and doesn't displaylow confidence alerts. It does not replace a manual security review, and it doesnot guarantee that your application is free from security flaws.
Note: Google may use aggregated and anonymized data to improve the performanceof Web Security Scanner and to analyze web vulnerability trends. Google won't shareinformation on specific issues or the security state of a scanned website withany third party.Findings categorized asmisconfigurations represent issues that can be resolvedthrough customer action by updating configurations. Although these findings areimportant for improving security posture, they are distinct from vulnerabilities,which represent actively exploitable weaknesses. You can view these misconfigurationson theFindings page of Security Command Center. For more information, seeWeb Security Scanner misconfiguration findings.
Caution: Web Security Scanner can adversely affect the reliability of some applications and might not be suitable for use in a production environment. Also, Web Security Scanner cannot detect all possible vulnerabilities in an application. For more information, see the following:
Scan types
Web Security Scannerprovides managed and custom web vulnerability scanning for publicApp Engine, GKE, and Compute Engine serviced webapplications.
Managed scans
Premium and Enterpriseservice tiersWeb Security Scanner managed scans are configured and managed bySecurity Command Center. Managed scans automatically run once each week to detect andscan public web endpoints. These scans don't use authentication and they sendGET-only requests so they don't submit any forms on live websites.
Managed scans run separately from custom scans.
If Security Command Center is activated at theorganization level,you can use managed scans to centrally manage basic web applicationvulnerability detection for projects in your organization, without having toinvolve individual project teams. When findings are discovered, you can workwith those teams to set up more comprehensive custom scans.
When you enable Web Security Scanner as a service, managed scan findings areautomatically available in the Security Command CenterVulnerabilities page andrelated reports. For information about how to enable Web Security Scannermanaged scans, seeConfigure Security Command Center services.
Managed scans support only applications that use the default port, which is 80for HTTP connections and 443 for HTTPS connections. If your application usesa non-default port, do a custom scan instead.
Custom scans
Standard, Premium, and Enterpriseservice tiersWeb Security Scanner custom scans provide granular information aboutapplication vulnerability findings, like outdated libraries, cross-sitescripting, or use of mixed content.
You define custom scans at the project level.
Custom scan findings are available inSecurity Command Center after you complete the guide toset up Web Security Scanner custom scans.
Scan findings
This section describes Web Security Scanner finding types and relevantcompliance standards.
Note: Attack path simulations don't support Web Security Scanner findings,so the findings don't getattack exposure scores or attack paths.Detectors and compliance
Web Security Scanner supports categories in theOWASP Top Ten, a document that ranksand provides remediation guidance for the top 10 most critical web applicationsecurity risks, as determined by the Open Web Application Security Project(OWASP).
Note:The categoryA09:2021 Security Logging and Monitoring Failures(previouslyA10:2017 Insufficient Logging & Monitoring) is not supported.This category describes insufficiencies that allow attackers to remain undetected. Unlikethe other nine OWASP categories, it doesn't pertain to specific vulnerabilitiesthat attackers can exploit. Similarly, Web Security Scanner can't attack webapplications to provoke a detectable response. The issues included in thiscategory require human judgment.
The compliance mapping is included for reference and is not provided or reviewedby the OWASP Foundation. It's only intended for you to monitor for compliancecontrols violations. The mappings are not provided for use as the basis of, oras a substitute for, the audit, certification, or report of compliance of yourproducts or services with any regulatory or industry benchmarks or standards.
For more information about compliance, seeAssess and report security benchmark compliance.
Finding types
Web Security Scanner custom and managed scans identify the following finding types. In the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IPs that aren't behind a firewall.
| Category | Finding description | Finding Category | OWASP 2017 Top 10 | OWASP 2021 Top 10 |
|---|---|---|---|---|
| A Git repository is exposed publicly. To resolve this finding, remove unintentional public access to the GIT repository. Pricing tier:Premium or Standard | Vulnerability | A5 | A01 |
| An SVN repository is exposed publicly. To resolve this finding, remove public unintentional access to the SVN repository. Pricing tier:Premium or Standard | Vulnerability | A5 | A01 |
| An ENV file is exposed publicly. To resolve this finding, remove public unintentional access to the ENV file. Pricing tier:Premium or Standard | Vulnerability | A5 | A01 |
| Passwords entered on the web application can be cached in a regular browser cache instead of a secure password storage. Pricing tier:Premium | Vulnerability | A3 | A04 |
| Passwords are being transmitted in clear text and can be intercepted. To resolve this finding, encrypt the password transmitted over the network. Pricing tier:Premium or Standard | Vulnerability | A3 | A02 |
| A cross-site HTTP or HTTPS endpoint validates only a suffix of the Pricing tier:Premium | Vulnerability | A5 | A01 |
| A cross-site HTTP or HTTPS endpoint validates only a prefix of the Pricing tier:Premium | Vulnerability | A5 | A01 |
| A resource was loaded that doesn't match the response's Content-Type HTTP header. To resolve this finding, set Pricing tier:Premium or Standard | Vulnerability | A6 | A05 |
| A security header has a syntax error and is ignored by browsers. To resolve this finding, set HTTP security headers correctly. Pricing tier:Premium or Standard | Vulnerability | A6 | A05 |
| A security header has duplicated, mismatching values, which result in undefined behavior. To resolve this finding, set HTTP security headers correctly. Pricing tier:Premium or Standard | Vulnerability | A6 | A05 |
| A security header is misspelled and is ignored. To resolve this finding, set HTTP security headers correctly. Pricing tier:Premium or Standard | Vulnerability | A6 | A05 |
| Resources are being served over HTTP on an HTTPS page. To resolve this finding, make sure that all resources are served over HTTPS. Pricing tier:Premium or Standard | Vulnerability | A6 | A05 |
| A library was detected that has known vulnerabilities. To resolve this finding, upgrade libraries to a newer version. Pricing tier:Premium or Standard | Vulnerability | A9 | A06 |
| A server-side request forgery (SSRF) vulnerability was detected. To resolve this finding, use an allowlist to limit the domains and IP addresses that the web application can make requests to. Pricing tier:Premium or Standard | Vulnerability | Not applicable | A10 |
| When making a cross-domain request, the web application includes the user's session identifier in its Pricing tier:Premium | Vulnerability | A2 | A07 |
| A potential SQL injection vulnerability was detected. To resolve this finding, use parameterized queries to prevent user inputs from influencing the structure of the SQL query. Pricing tier:Premium | Vulnerability | A1 | A03 |
| The use of a vulnerable version ofApache Struts was detected. To resolve this finding, upgrade Apache Struts to the latest version. Pricing tier:Premium | Vulnerability | A8 | A08 |
| A field in this web application is vulnerable to a cross-site scripting (XSS) attack. To resolve this finding, validate and escape untrusted user-supplied data. Pricing tier:Premium or Standard | Vulnerability | A7 | A03 |
| A user-provided string isn't escaped and AngularJS can interpolate it. To resolve this finding, validate and escape untrusted user-supplied data handled by Angular framework. Pricing tier:Premium or Standard | Vulnerability | A7 | A03 |
| A field in this web application is vulnerable to a cross-site scripting attack. To resolve this finding, validate and escape untrusted user-supplied data. Pricing tier:Premium or Standard | Vulnerability | A7 | A03 |
| An XML External Entity (XXE) vulnerability was detected. This vulnerability can cause the web application to leak a file on the host. To resolve this finding, configure your XML parsers to disallow external entities. Pricing tier:Premium | Vulnerability | A4 | A05 |
| The application is vulnerable to prototype pollution. This vulnerability arises when properties of the Pricing tier:Premium or Standard | Vulnerability | A1 | A03 |
| A misconfigured HTTP Strict Transport Security (HSTS) header was detected. To significantly reduce the risk of downgrading and eavesdropping attacks on HTTP connections, resolve the misconfigured HSTS header. HSTS headers force connections through encrypted channels (TLS) so that plaintext HTTP connections fail. Find out more about HSTS headers Pricing tier:Premium | Misconfiguration | Not applicable | Not applicable |
| A missing Content Security Policy (CSP) HTTP response header was detected. CSP headers mitigate the exploitation of common web vulnerabilities, particularly cross-site scripting XSS, by preventing untrusted scripts or plugins from being loaded. A strict CSP header is recommended. Find out more about CSP headers Pricing tier:Premium | Misconfiguration | Not applicable | Not applicable |
| A misconfigured Content Security Policy (CSP) HTTP response header was detected. CSP headers mitigate the exploitation of common web vulnerabilities, particularly cross-site scripting XSS, by preventing untrusted scripts or plugins from being loaded. A strict CSP header is recommended. Learn more about CSP headers Pricing tier:Premium | Misconfiguration | Not applicable | Not applicable |
| A missing Cross-Origin-Opener-Policy (COOP) HTTP header was detected. COOP is a web security mechanism that restricts a page opened in a new window from accessing the properties from its originating page. COOP offers a strong layer of protection against common web attacks. Pricing tier:Premium | Misconfiguration | Not applicable | Not applicable |
| A missing response header was detected. To prevent clickjacking, implement an HTTP response header like an Pricing tier:Premium | Misconfiguration | Not applicable | Not applicable |
Usage caveats
The IAM roles for Security Command Center can be granted at the organization,folder, or project level. Your ability to view, edit, create, or update findings, assets,and security sources depends on the level for which you are granted access. To learn more aboutSecurity Command Center roles, seeAccess control.
Other important things to be aware of when using Web Security Scanner:
- Because Web Security Scanner is undergoing continual improvements, a futurescan might report issues that are not reported by the current scan.
- Some features or sections of your application might not be tested.
- Web Security Scanner attempts to activate every control and input it finds.
- Web Security Scanner only supports websites using IPv4. Websites using IPv6 are not scanned.
- If you expose state-changing actions for which your test account haspermission, Web Security Scanner is likely to activate them. This might leadto undesirable results.
- Web Security Scanner has a limit of 15 scans per project. Because scansare run concurrently, users who reach this limit are advised to addmultiple starting URLs per scan, or to add scans to different projectsthat have not yet reached the limit.
Who can run a security scan?
For information about the Identity and Access Management (IAM) roles that areavailable for Web Security Scanner, seeAccess control.
How much time is required for a security scan?
The security scan does not execute immediately. It is queued and then executeslater, possibly hours later depending on system load. After the scan starts toexecute, the time it takes will depend on the size of your application.A scan of a large application with many URLs can take several hours, or even days.If a scan has not completed within 20 days, the scan is automatically stopped,and all crawl results and findings found during the scan will be visible as thescan result.
Target restrictions
Web Security Scanner has filters in place that restrict scan targets to thespecific App Engine instance for which the scan is created. Entering URLsfor a different App Engine project or an outside domain will result in anerror message.
Important: Attempting to subvert or in any way direct traffic to out-of-scopeURLs is a violation of theacceptable use policy.Scans for Compute Engine and GKE are restricted todomains that map to static external IP addressesreserved for the same projectand static external IP addresses that belong to the same project. Forinstructions on reserving IP addresses for projects, see the following links:
Compute Engine:Reserving a static external IP address
App Engine does not provide a way to map static IP addresses to anapplication. However, you can use Cloud Load Balancing and serverless networkendpoint groups toreserve a static IP address for your load balancer,which then directs traffic to your application. For information about pricing,seeAll networking pricing.
Within your project, the Web Security Scanner automaticallyattempts toavoid logout URLs and other generic locations that may adversely affect a scan.However, to be sure, you can use the scan settings to manuallyexclude URLs.
Validation
Scan configurations are validated when they are created and before each scan.Web Security Scanner checks Security Command Center settings and your application'sauthentication credentials to ensure scans are configured correctly and can loginto your application successfully. Configuration parameters, including maximumscan speed, are also checked to ensure they are within supported ranges.
You must resolve errors before a scan is created or updated. Applications thatare changed after initial configuration may produce errors during scans. Forexample, if a domain no longer points to an IP address owned by the project, theresource is not scanned and an error is reported on the scan configuration page.
Best practices
Because Web Security Scanner populates fields, pushes buttons, clicks links,and performs other user actions, you should use it with caution, particularly ifyou are scanning production resources. Web Security Scanner could potentiallyactivate features that change the state of your data or system, with undesirableresults.
For example:
- In a blog application that allows public comments, Web Security Scannermight post test strings as comments on all your blog articles.
- In an email sign-up page, Web Security Scanner might generate large numbersof test emails.
Following are some techniques that you can use, separately or in combination, toavoid unwanted outcomes:
- Run scans in a test environment. Set up a test environment by creating aseparate App Engine project and loading your application and data there. Ifyou use theGoogle Cloud CLI, you can specify the targetproject as a command-line option when you upload your app.
- Use a test account. Create a user account that doesn't have access tosensitive data or harmful operations, and use it when scanning your app. Manyapplications present a special workflow during a user's first-time login,like accepting terms and creating a profile. Because of the differentworkflow, a test account for an initial user can have different scan resultsthan an established user account. It's best to scan with an account that isin the normal user state, after the first-time flow is complete.
- Block individual user interface elements that you do not want activatedby applying the CSS class
inq-no-click. Event handlers that are attached tothis element aren't activated during crawling and testing, regardless ofwhether they are inline JavaScript, or attached usingaddEventListener, orattached by setting the appropriate event handler property. - Use backup data. Consider making a backup of your data before scanning.
- Excluded URLs. You can specify URL patterns that won't be crawled ortested. For information on syntax, seeExcluding URLs.
Before you scan, carefully audit your application for any feature that mightaffect data, users, or systems beyond the scope of your scan.
What's next
- Get started with theWeb Security Scanner.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.