Using Web Security Checker

Available in Classic and VPC

You can run web service diagnosis and check the results from the NAVER Cloud Platform console.

Web Security Checker interface

The Web Security Checker interface includes the following components:

wsc-console_screen_ko

Component	Description
① Menu name	Current menu name.
② Basic features	Features displayed upon the initial entry into the Web Security Checker menu. [Create diagnosis task]: Click to create a new diagnosis task (seeRun diagnosis). [Learn more]: Go to the Web Security Checker overview page. [Refresh]: Reload the list of diagnosis tasks.
③ Search window	You can search actions with diagnosis URLs and memo details.
④ Search filter	Specify a range of diagnosis tasks to be searched.
⑤ Diagnosis task list	The list of the diagnosis tasks executed. [Report]: Click to view the diagnostic report (see View diagnostic report). [Create re-diagnosis task]: Click to re-diagnose such URLs (see Run re-diagnosis). [Cancel]: Click to cancel the reserved diagnosis tasks (see Cancel reservation). [Stop]: Click to stop diagnosis tasks in progress (see Stop diagnosis). [Detailed description]: Click to view detailed descriptions about causes in case of failure in URL collection or diagnosis.

Run diagnosis

To run a diagnosis for a web service:

Note

Unintended operations may occur in the course of diagnosis. It is recommended to use it in a test environment, not in an operation environment in preparation for this situation.
Make use of backup and monitoring before diagnosis for safer diagnosis. Or you can use the resource monitoring service provided by NAVER Cloud Platform (Cloud Insight (VPC)).

From the NAVER Cloud Platform console, navigate to > Services > Security > Web Security Checker.
Click [Create diagnosis task].
When the creating diagnosis task page appears, proceed with the following steps in order:

1. Enter target information

Enter a diagnostic target URL and click [Check for the ownership status].

Enter the URL including http:// or https://.
Perform additional tasks if the web server belongs to other companies' infrastructure, not to NAVER Cloud Platform.
- Make exceptions for Web Security Checker IP to avoid the Web Security Checker scanner being blocked on other companies’ networks.
- Click [Create and download authentication file] to download the authentication file, and upload it to one of the paths listed on the page.
- Please agree that you may be liable if the web server is not your own.

2. Enter exclusion target information

If there is any page or directory to be excluded from the diagnosis, enter the exclusion target information and click [Add].

You can enter multiple URLs.
Click [Remove] to cancel details entered as exclusion targets.

Note

Pages that you might exclude are as follows:

Pages that may affect the web service significantly.
Pages that must block script execution included during URL collection or diagnosis.

3. Enter authentication information

Enter the authentication information for a web service that requires authentication.

It should be entered in an HTTP header.
If you don’t need the authentication information, select No input.
Log in to the diagnosis target server, copy the Request Header value, and paste it to the HTTP Header input field.
Click [View screenshots of authentication results] to check whether the value entered was applied successfully.

Note

If the account used for authentication has admin or equivalent permissions, its risk may increase compared to the general account. Make sure to use the account that has only the necessary permissions.

4. Reserve schedule

Set the diagnosis schedule.

To start diagnosis immediately, select Immediately.
To reserve a diagnosis, select Reservation and the execution date. Reservation is available only within 30 days from the current date.

Note

For a safe diagnosis, it is recommended to perform the diagnosis when the target service has fewer users.

5. Set details

If needed, set details about diagnosis items, User Agent and the speed of the diagnosis task as you like.

Diagnosis items: Select items you want for the vulnerability scan.
Select User Agent: Select the environment to diagnose.
Diagnosis speed: Select the diagnosis speed.
- Faster diagnosis speeds may increase the load on the web service.

6. Set notifications

To set notification recipients for the events that may occur during diagnosis, click [Set notification recipients] and set recipients from the popup.
wsc-console_noti_manage_ko

Select the notification recipient and method and click [Add] to add the recipient.
To add a new contact as a notification recipient, click the [Manage notification recipient] button at the top right of the pop-up, then register the recipient information on the resulting page.
For more information about managing notification recipient groups, see the Cloud Insight (VPC) user guide.
If you have completed setting recipients, click [Save settings].

7. Complete settings

If you have completed all the settings, click [Complete settings].
Check details in the notification popup and then click [Complete creating diagnosis task].

Such details are added to the list of diagnosis tasks.
Diagnosis starts immediately if you set the immediate execution, and the diagnostic report is displayed after the diagnosis is completed.

Check diagnostic report

To check the report with the diagnostic results:

From the NAVER Cloud Platform console, navigate to > Services > Security > Web Security Checker.
Click the [Report] button on the diagnosis task to view.
Check details in the diagnostic report.
- You can download the report as a PDF file. Click the [Download PDF] button at the top right of the page.
- You can edit the details to be displayed on the report. Click the [Edit] button at the bottom of the page and then select the information to be displayed in the details area. Once the edit is completed, click [Apply].

Stop diagnosis

You can stop a diagnostic task in progress. Task statuses that can be stopped are as follows:

URL collection pending
URL collection in progress
Diagnosis in progress

To stop diagnosis:

From the NAVER Cloud Platform console, navigate to > Services > Security > Web Security Checker.
Click the [Cancel] or [Stop] button in the column of diagnostic results to be stopped.
In the notification popup, click [Yes].
- The diagnosis task is stopped.

Cancel reservation

To cancel a reserved diagnosis task:

From the NAVER Cloud Platform console, navigate to > Services > Security > Web Security Checker.
Click the [Cancel] button of the reserved diagnosis task.
In the notification popup, click [Yes].
- The diagnosis reservation is canceled.

Run re-diagnosis

To re-diagnose a task that has completed diagnosis:

From the NAVER Cloud Platform console, navigate to > Services > Security > Web Security Checker.
Click the [Create re-diagnosis task] button of the diagnosis task that you’d like to re-diagnose.
When the diagnosis task creation page appears, set up the diagnosis task by referring to 2. Enter exclusion target information.
- The diagnosis target is automatically set to the same URL and is not changed.

Note

You can run the actions above in the same way by using the Web Security Checker API.

View the list of diagnosis tasks and search certain diagnosis task: getJobs API and searchJobs API
Run (re-)diagnosis: createJob API
Check diagnostic report: getReport API
Stop diagnosis: stopJob API
Cancel diagnosis: cancelJob API