Starting Penetration testing on GAE

173 views
Skip to first unread message

Azher Uddin Farooqi

unread,
Jun 25, 2015, 5:15:08 AM6/25/15
to google-a...@googlegroups.com
Hi,

We are starting penetration testing (for DOS, CSRF and XSS attacks etc.) on Google App Engine. Do you see any issues ?

Nick (Cloud Platform Support)

unread,
Jun 25, 2015, 6:18:23 PM6/25/15
to google-a...@googlegroups.com, Azher Uddin Farooqi
Hey Azher,

Any app-level security tests are going to be fine: injection, CSRF, XSS, etc., will be fine to test, since we don't monitor or prevent this in any way. It's up to app developers to safeguard from these app-level vulnerabilities.

However, when it comes to DOS, be aware that our infrastructure does actively prevent these, as you can read in the Security Whitepaper:

All traffic is routed through custom GFE (Google Front End) servers to detect and stop malicious requests and Distributed Denial of Service (DDoS) attacks.

Conducting a (D)DOS attack, whether "real" or a "test" (they're ultimately identical in terms of network packets), will have the result of potentially rousing the infrastructure security systems from slumber, and might result in black-listing the IPs you used as your launchpad for the (D)DOS.

Additionally, note that attempting to break out of the security sandbox is of course in violation of the Terms of Service, and you'll want to take a look at that as well before proceeding.

Do you have any further questions related to security and pen-testing?

-- Nick

Azher Uddin Farooqi

unread,
Jun 26, 2015, 6:52:24 AM6/26/15
to google-a...@googlegroups.com, Azher Uddin Farooqi
Hi Nick,

Thank you very much for your reply. I will go through the links you have provided.

--  Azher
Reply all
Reply to author
Forward
0 new messages