I will use Web Security Scanner—one of Google Cloud Security Command Center's built-in services—to scan a Python Flask application for vulnerabilities. Web Security Scanner identifies security vulnerabilities in your App Engine, Google Kubernetes Engine (GKE), and Compute Engine web applications.
Cymbal Bank is an American retail bank with over 2,000 branches in all 50 states. It offers comprehensive debit and credit services that are built on top of a robust payments platform. Cymbal Bank is a digitally transforming legacy financial services institution. Cymbal Bank was founded in 1920 under the name Troxler. Cymbal Group acquired the company in 1975 after it had been investing heavily in Cymbal Group's proprietary ATMs. As the bank grew into a national leader, they put strategic emphasis on modernizing the customer experience both in-person at their branches and digitally through an app they released in 2014. Cymbal Bank employs 42,000 people nationwide and, in 2019, reported $24 billion in revenue. Cymbal Bank is interested in developing a new banking application for their corporate clients using Google Cloud technology. Application security is critical, and the CTO wants to see how Google Cloud can identify and mitigate application security vulnerabilities. As a Cloud Security Engineer, I was tasked with demonstrating Security Command Center's cutting-edge application vulnerability scanning features.
I will perform the following tasks:
- Launch a vulnerable Python Flask application on a Compute Engine instance
- Use Web Security Scanner to scan the application and find vulnerabilities
- Fix the application vulnerability
- Scan the application again and verify vulnerabilities no longer exist
- a new Google Cloud project
In this task, I will set up the infrastructure to demonstrate an application vulnerability to Cymbal Bank's CTO. More specifically, I will deploy a virtual machine, obtain the application code and introduce a vulnerability that will be detected by Web Security Scanner.
1. On the Google Cloud Console title bar, click Activate Cloud Shell
2. Create a static IP address that will be used for scanning a vulnerable web application:
gcloud compute addresses create xss-test-ip-address --region=us-central1<br>
- Run the following command to output the static IP address you just generated:
gcloud compute addresses describexss-test-ip-address \
--region=us-central1 --format="value(address)"
- Run the following command to create a VM instance to run the vulnerable application:
gcloud compute instances create xss-test-vm-instance \
--address=xss-test-ip-address --no-service-account \
--no-scopes --machine-type=e2-micro --zone=us-central1-a \
--metadata=startup-script='apt-get update; apt-getinstall -y python3-flask'
The startup script will install python-flask, a Web Application Framework, which is used for running a simple Python application demonstrating cross-site scripting (XSS) vulnerability, which is a common web application security vulnerability. 5. Open a firewall rule for Web Security Scanner to access a vulnerable application.
gcloud compute firewall-rules create enable-wss-scan \
--direction=INGRESS --priority=1000 \
--network=default --action=ALLOW \
--rules=tcp:8080 --source-ranges=0.0.0.0/0
6. Open the navigation menu and select Compute Engine > VM Instances.
7. Then click on the SSH button next to your instance:
This will open an SSH connection to your VM instance in a new window. 8. In this SSH window (Not in Cloud Shell), run the following command to download and extract the vulnerable web application files:
gsutil cp gs://cloud-training/GCPSEC-ScannerAppEngine/flask_code.tar . && tar xvf flask_code.tar
- Now run the following command to deploy your application:
python3 app.py
- Replace YOUR_EXTERNAL_IP in the URL field below with that IP address, and open the URL in a new browser tab:
http://<YOUR_EXTERNAL_IP>:8080
Note: You can also find the external IP address in the Google Cloud Console, where it's listed as a field associated with your VM instance.
11. A Cymbal Bank corporate banking portal with a web form should appear.
12. In the web form enter the following string:
<script>alert('This is an XSS Injection')</script>
- Now press the POST button.
You should see the following alert window:
This is a common vulnerability in web applications: a cross-site scripting vulnerability. Cross-site scripting (XSS) is a vulnerability that enables attackers to run malicious scripts in users' browsers in the context of your application.
Now that I've launched the vulnerable application, it's time to demonstrate Web Security Scanner's abilities to the CTO. In this task, I will configure and set up a scan of the application to find security vulnerabilities.
1. Switch back to the browser tab displaying the Cloud console.
2. Open the Navigation menu and select APIs & Services > Library.
3. In Search for APIs and services type Web Security Scanner.
4. Click Enable API to enable the Web Security Scanner API.
5. Open the Navigation menu and select Security > Web Security Scanner.
6. Click + New Scan.
7. The Starting URLs field should be pre-populated with your static IP address.
8. Add the port number 8080, so that the Starting URL looks like the following:
http://<EXTERNAL_IP>:8080
- Take a minute to review the remaining fields on the Create a new scan screen:
- Authentication: a property that can be used to provide application credentials to allow the scanner to authenticate to an app while scanning.
- Schedule: a property that can be used to schedule scans to run automatically.
- Export to Security Command Center: a property that allows you to automatically export scan configurations and scan results to Cloud Security Command Center after scans are finished.
- Verify the Authentication is still set to None and that Schedule is set to Never.
- Click Save to create the scan.
Note: This creates the scan, but do not run it yet. - Click Run to start the scan.
Note: Given the number of possible tests, this can take a little over 10 minutes to scan. - Return to your SSH session in your separate window.
If the session timed out, run the following command to restart your application:
python3 app.py
In the SSH Window, logs will begin to be generated.
14. When the scan is done running, the Results tab should indicate the cross-site vulnerabilities.
The Web Security Scanner was able to scan all starting URLs and detect the XSS vulnerabilities in Cymbal Bank's application. The ability to automate the detection of these critical vulnerabilities is a major benefit for security-minded organizations like Cymbal Bank. I will now fix the vulnerability in Cymbal Bank's application code and test once again.
Now that I have demonstrated Web Security Scanner can detect a XSS vulnerability, I will remediate the vulnerability and run the application scan again.
1. Return to your SSH window that's connected to your VM instance.
2. Stop the running application by pressing CTRL + C.
3. Edit the app.py file using the nano editor by running the following command:
nano app.py
- locate the two lines that set the output string:
# output_string = "".join([html_escape_table.get(c, c) for c in input_string])
output_string = input_string
- Remove the ‘#' symbol from the first line and add it to the beginning of the next line (ensure that you indent your code properly!)
final lines must look like the following:
@app.route('/output')
def output():
output_string = "".join([html_escape_table.get(c, c) for c in input_string])
# output_string = input_string
return flask.render_template("output.html", output=output_string)
- Now type CTRL+X > Y > Enter to save your changes.
- Now re-run the application:
python3 app.py
- Return to the Google Cloud Console.
- Click Run at the top of the page.
- login to the URL http://<EXTERNAL_IP>:8080 using your browser in a separate tab.
- In the web form enter the same string entered before:
<script>alert('This is an XSS Injection')</script>
- Now press the POST button.
- Verify that this time you see the string displayed in the browser:
- Return to the Google Cloud Console, where you left off on the Web Security Scanner page.
- Click Run at the top of the page to re-scan your application.
- Soon after, you will see that the results yield no more XSS vulnerabilities:
