- Print
- PDF
Using Web Security Checker
- Print
- PDF
Available in Classic and VPC
The guide explains how to run web service diagnosis and check the results in the NAVER Cloud Platform console.
Web Security Checker page
The basics of using Web Security Checker are as follows.
Area | Description |
---|---|
① Menu name | Name of the menu currently being viewed |
② Basic features | Features displayed upon the initial entry to the Web Security Checker menu |
③ Search window | Search can be made for task history with diagnostic URLs and memo details. |
④ Search filter | Specify a range of diagnosis tasks to be searched. |
⑤ Diagnostic task list | The list of the diagnosis tasks executed |
Run diagnosis
The following describes how to conduct web service diagnosis.
- Unintended behaviors may occur in the course of diagnosis. It is recommended to use it in a test environment, not in an operation environment in preparation for this situation.
- Make use of backup and monitoring before diagnosis for safer diagnosis. Or you can use the resource monitoring service offered by NAVER Cloud Platform(Cloud Insight(VPC)).
- From the NAVER Cloud Platform console, Click the Services > Security > Web Security Checker menus in that order.
- Click the [Create diagnosis task] button.
- When the Create a diagnosis task page appears, proceed with the following steps in order.
1. Enter target information
Enter a diagnostic target URL and then click the [Check for the ownership status] button.
- Enter the URL including http:// or https://.
- Perform additional tasks if the web server belongs to other companies' infrastructure, not to NAVER Cloud Platform.
- Handle exceptions for Web Security Checker IP to avoid the Web Security Checker scanner being blocked on other companies’ networks.
- Click the [Create and download authentication file] button to download the authentication file and then upload the file on one of the paths listed on the screen.
- Please agree that you may be liable if the web server is not your own.
2. Enter information to be excluded
If there is any page or directory to be excluded in the diagnosis, enter it as information to be excluded and then click the [Add] button.
- You can enter multiple URLs.
- Click the [Remove] button to cancel details entered as exclusion targets.
Pages that you might exclude are as follows.
- Pages that may greatly affect the web service.
- Pages that must block script execution included during URL collection or diagnosis
3. Enter authentication information
Please enter the authentication information for a web service that requires authentication.
- It should be entered in an HTTP header.
- If you don’t need the authentication information, select No input.
- Log in to the diagnosis target server, copy the Request Header value and paste it to the HTTP Header input field.
- Click the [View screenshots of authentication results] button to check whether the value entered was applied successfully.
If the account used for authentication has admin or equivalent permissions, its risk may increase compared to the general account. Make sure to use the account that has been granted only the permissions required.
4. Reserve schedule
Set the diagnostic schedule.
- To start diagnosis immediately, select Immediately.
- To reserve a diagnosis, select reservation and then the execution date. Reservation is available only within 30 days from the current date.
It is recommended to perform a diagnosis when there are few users of the diagnosis target service for safe diagnosis.
5. Set details
If needed, set details about diagnosis categories, User Agent and the speed of the diagnosis task as you like.
- Diagnosis items: select the vulnerability checklist you like
- Select User Agent: select the environment to be diagnosed
- Speed of the diagnosis task: Select the speed of the diagnosis task
- The faster the speed of the diagnosis task, the higher the load of the web service.
6. Set notifications
To set notification recipients for the events that may occur during diagnosis, click the [Set notification recipients] button and then set recipients in the pop-up window.
- Select the notification recipient and method and then click the [Add] button to add the recipient.
- If you want to add new personnel to notification recipients, click the [Manage notification recipients] button at the top right of the pop-up window and then register recipient information on the moved page.
- For more details about the management of the notification recipient group, refer to the Cloud Insight(VPC) Guide.
- If you have completed setting recipients, click the [Save settings] button.
7. Complete settings
If you have completed all the settings, click the [Complete settings] button. Check details in the notification pop-up window and then click the [Complete creating diagnosis task] button.
- Such details are added to the list of diagnosis tasks.
- Diagnosis starts immediately if you set the immediate execution, and the diagnostic report is displayed after the diagnosis is completed.
Check diagnostic reports
The following describes how to check the report that includes diagnostic results.
- From the NAVER Cloud Platform console, Click the Services > Security > Web Security Checker menus in that order.
- Click the [Report] button in the diagnosis task history to view.
- Check the details in the diagnostic report.
- You can download the report as a PDF file. Click the [Download PDF] button in the top right corner.
- Details to be displayed on the report can be edited. Click the [Edit] button at the bottom of the page and then select the information to be displayed in the Details area. Once the edit is completed, click the [Apply] button.
Stop diagnosis
A diagnostic task started can be stopped. Task statuses that can be stopped are as follows.
- URL collection pending
- URL collection in progress
- Diagnosis in progress
The following describes how to stop diagnosis.
- From the NAVER Cloud Platform console, Click the Services > Security > Web Security Checker menus in that order.
- Click the [Cancel] or [Stop] button in the column of diagnostic results to be stopped.
- In the notification pop-up window, click the [Yes] button.
- The diagnosis task is stopped.
Cancel Reservation
The following describes how to cancel a reserved diagnosis task.
- From the NAVER Cloud Platform console, Click the Services > Security > Web Security Checker menus in that order.
- Click the [Cancel] button in the reserved diagnosis task history.
- In the notification pop-up window, click the [Yes] button.
- The reservation of diagnosis is canceled.
Run re-diagnosis
The following describes how to re-diagnose a task that has completed diagnosis.
- From the NAVER Cloud Platform console, Click the Services > Security > Web Security Checker menus in that order.
- Click the [Create re-diagnosis task] button in the diagnosis task history that you’d like to re-diagnose.
- When the Create diagnosis task page appears, set up tasks by referring to 2. Enter information to be excluded.
- The diagnosis target is automatically set to the same URL and is not changed.
You can run the actions above in the same way by using Web Security Checker API.
- View the list of diagnosis tasks and search certain diagnosis history: getJobs API, searchJobs API
- Run (re-)diagnosis: createJob API
- Check diagnostic reports: getReport API
- Stop diagnosis: stopJob API
- Cancel diagnosis: cancelJob API