[google-appengine] Starting Penetration testing on GAE
Hi, We are starting penetration testing (for DOS, CSRF and XSS attacks etc.) on Google App Engine. Do you see any issues ? -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at http://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/24eaaca3-647b-4218-84bc-dc7615a93044%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[google-appengine] Re: Starting Penetration testing on GAE
Hi Nick, Thank you very much for your reply. I will go through the links you have provided. -- Azher On Friday, 26 June 2015 03:48:23 UTC+5:30, Nick (Cloud Platform Support) wrote: > > Hey Azher, > > Any app-level security tests are going to be fine: injection, CSRF, XSS, > etc., will be fine to test, since we don't monitor or prevent this in any > way. It's up to app developers to safeguard from these app-level > vulnerabilities. > > However, when it comes to DOS, be aware that our infrastructure does > actively prevent these, as you can read in the Security Whitepaper > <https://cloud.google.com/security/whitepaper>: > > All traffic is routed through custom GFE (Google Front End) servers to >> detect and stop malicious requests and Distributed Denial of Service (DDoS) >> attacks. >> > > Conducting a (D)DOS attack, whether "real" or a "test" (they're ultimately > identical in terms of network packets), will have the result of potentially > rousing the infrastructure security systems from slumber, and might result > in black-listing the IPs you used as your launchpad for the (D)DOS. > > Additionally, note that attempting to break out of the security sandbox is > of course in violation of the Terms of Service > <https://cloud.google.com/terms/>, and you'll want to take a look at that > as well before proceeding. > > Do you have any further questions related to security and pen-testing? > > -- Nick > > On Thursday, June 25, 2015 at 5:15:08 AM UTC-4, Azher Uddin Farooqi wrote: >> >> Hi, >> >> We are starting penetration testing (for DOS, CSRF and XSS attacks etc.) >> on Google App Engine. Do you see any issues ? >> >> -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at http://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/5acd8450-b519-4a71-9d8e-e59349f9e3c2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[google-appengine] Http OPTIONS is resetting JSESSIONID
Hello, I've recently noticed that certain (all?) browsers do not send cookies with OPTIONS requests, but session (understandably) sends a cookie response with a new session ID in response to these. (OPTIONS requests are used to probe CORS access control headers prior to sending AJAX requests.) My specific scenario is the following: 1. request https://my-domain.appspot.com - a. Receive cookie with new session ID 2. AJAX OPTIONS request to https://my-domain.appspot.com to probe for CORS headers (this is automatically generated by the browser) - a. Browser does not send cookie - b. Session responds with Set-Cookie header and NEW session ID 3. Subsequent requests to https://my-domain.appspot.com use different session ID 4. Because of session ID mismatch, CORS filter blocks the requests. What can I do to prevent new session ID getting created in step #2 ? Or how can I avoid my requests getting failed in the above scenario ? Thanks, Azher -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at http://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/f9f03fbb-2eaf-41ed-8d64-54c9f0854633%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
