Security
For Platform 2.0 Only
Web Security Checker Update
고객의 웹 서비스에 대한 주요 취약점을 자동으로 진단합니다
Exhaustive Diagnosis of Vulnerabilities of Web Service Security
Web Security Checker performs fast and detailed scans enabling you to detect in advance the web service’s potential weak points and prevent dangers.
You can receive a report afterwards which includes a guide helping you better respond to detected vulnerabilities.
- Fast and Effective Scan
- Based on the security operation experience of NAVER, we mainly focus on web vulnerability items that are frequently infiltrated and have a high service impact when they occur. The scan quickly diagnoses most pages in the web services via dynamic analysis systems and employing automatic login capabilities.
- Stable Vulnerability Detection
- Using Smart Crawling, you can reduce unnecessary scans and also stably diagnose the websites in service through the algorithm developed to enable diagnosis without causing stress on the web service.
- Easy and Convenient Use
- On the web-based console, you can enter information about the web services for diagnosis, diagnosis categories, and login information easily. You can also book a diagnosis at the most convenient time for your web service.
Detailed Features
Web Security Checker automatically determines vulnerabilities in web services.
It examines a total of 18 risks (20 weak spots). You are recommended to select only essential spots, instead of all, to be investigated for your service operation.
If the diagnosis is done, you will be given a report including countermeasures to take in response to discovered risks.
Security Threats Response through Vulnerability Diagnosis
According to a recent analysis report, one of the main causes of personal information leakage is external attacks (65%). Most of these external attackers exploited web vulnerabilities, such as SQL Injection, XSS (Cross-Site Scripting), or LFI. Even recent, large-scale personal information hacking exploited the SQL Injection vulnerability. To prevent these indiscriminate attacks on web services, it is paramount to diagnose the vulnerabilities of the web service in advance. Web Security Checker allows you to respond effectively and conveniently to web security threats at an affordable cost. The Web Security Checker service protects your data on the web by scanning and eliminating vulnerabilities and preventing a hacking attack.
Customers Recommended for this Service
- Customers who want to enhance service reliability by improving web service vulnerabilities
- Customers who need automated vulnerability assessment
- Customers who cannot afford costly web vulnerability assessment tools or security consulting
- Customers who want to easily diagnose vulnerabilities for a security certification or to comply with relevant laws
Main Provided Features
| Feature | Description |
|---|---|
| Free Rediagnosis Feature | In case of diagnosing the same target within sixty days after the first diagnosis, you can diagnose the vulnerability up to two additional times without additional cost. |
| Check Diagnosis Status and Result | You can cancel the diagnoses that are scheduled or in progress. When a diagnosis is complete, you can check the number of detected vulnerabilities and the detailed results. |
| Setting Diagnosis Categories | By default there are 18 checklists (20 weak spots) to be examined, but you can select only some points you need to check. |
| Setting User-Agent | The vulnerability diagnosis is performed by setting the User-Agent to suit your web service environment. |
| Setting a Diagnosis Schedule | You can perform an immediate or a scheduled diagnosis depending on your needs. Immediate Diagnosis – Diagnosis is performed immediately after the request. Scheduled Diagnosis – Diagnosis is performed on the desired date and time. |
| Notification Setting | Upon completion of the diagnosis, a notification on the completion will be sent via the preferred method (email or SMS). (Pre-setting necessary) |
| Diagnostic Report | The diagnostic results are summarized and provided as a report. The report provides detailed information about the discovered vulnerabilities and countermeasures to those vulnerabilities. |
| Setting Up the Scan Speed | Users can select and control the speed at which security vulnerabilities are examined. The faster the speed becomes, the more time is saved. However, the service load can be higher. You can select 30 RPS (normal), 60 RPS (higher), or 90 RPS (highest). (RPS: Requests Per Second) |
Diagnosis Category
| SQL Injection | Description | An attacker can use this to leak or manipulate data in internal database by injecting some phrases into SQL, which is used for web applications. |
|---|---|---|
| Cause of Occurrence | It occurs when you use parameters input by users as a data query language without scrutiny. | |
| Risk | It is highly risky since a hacker is able to leak or manipulate data, write or read a file on the server, or even execute a command. | |
| XSS (Cross-Site Scripting) | Description | An attacker can use this to disrupt the web page by injecting malicious script. |
| Cause of Occurrence | It occurs when you use parameters input by users without scrutiny. | |
| Risk | Hackers can steal the users’ information (cookies, sessions, etc.) or intentionally cause an automated abnormal function. | |
| LFI (Local File Inclusion) | Description | An attacker can use this to include and run a malicious file located inside the web server. |
| Cause of Occurrence | It occurs when you put information as they are input by users into functions like include(), include_once(), require(), etc. | |
| Risk | It is highly risky since one can execute a malicious command, if will, in the system where the file is loaded. | |
| RFI (Remote File Inclusion) | Description | An attacker can use this bring and run a malicious file located in the attacker’s remote server. |
| Cause of Occurrence | It occurs when you put information as they are input by users into functions like include(), include_once(), require(), etc. | |
| Risk | It is highly risky since one can execute a malicious command, if will, in the system where the file was loaded. | |
| SSRF (Server-Side Request Forgery) | Description | Sometimes, a web application gets results at the request of a user by accessing other systems or implementing the request. This time, the current web application can be forced to access an internal server not accessible from outside network and act something strange that is not supposed to happen. As such, this may cause a vulnerability to the internal server. |
| Cause of Occurrence | It occurs when an effort to verify data lacks which are input by users (domains, etc.). | |
| Risk | It is highly risky since an attack may occur through a detour around the security equipment or against the internal system behind the firewall or beyond the expectation. | |
| File Upload | Description | An attacker can use this to run a web server as an authorized user by uploading a malicious script file to the server. |
| Cause of Occurrence | It occurs if you fail to complete a security check for the file to be uploaded. | |
| Risk | As it allows you to directly control the server, the impact on service may be deadly although the authority level may be different depending on each environment. | |
| File Download | Description | An attacker can download or open some files in the server and disclose them to clients against your intention. |
| Cause of Occurrence | It occurs if you fail to check input parameters when you download a file from application logic. | |
| Risk | As it allows an attacker to obtain not only data without authority but also important files like the system information. | |
| XXE (XML External Entity) | Description | When using XML data from the web application, an attacker can abuse the function of External Entity, with which you can dynamically include external URI resources in XML document, causing an unintended action. |
| Cause of Occurrence | It occurs on the page of XML request parsing. A hacker can attack when receiving full XML data from a user or when DTD definition is available. | |
| Risk | A file located on a server may open and denial of service may occur. | |
| Command Injection | Description | An attacker can maliciously deliver a command to the server and execute it. |
| Cause of Occurrence | It occurs when you fail to thoroughly check the parameters input by users in the web application before using them for the system function. | |
| Risk | As it allows you to directly control the server, the impact on service may be deadly although the authority level may be different depending on each environment. | |
| Insufficient Authorization | Description | This is about whether a normal user can have access to a certain web application which is not supposed to be open to public. i.e.) tomcat-admin, phpmyadmin, Jenkins, etc. |
| Cause of Occurrence | It occurs when you fail to control access to web applications used for management or the other purpose. | |
| Risk | It may allow attackers to collect information from an open page or make any further attacks. | |
| Specific Vulnerabilities | Description | This is about weak points which are highly vulnerable to an attack on a certain application leading to large-scale ripple effects. i.e.) ShellShock (CVE-2014-6271), etc. |
| Cause of Occurrence | It occurs when you fail to take a proper action in response to a known bug in an application. | |
| Risk | It may cause a deadly impact on service like a remote execution of commands, system memory leak, and encryption key leak. | |
| File Management | Description | Unnecessary files for the web server operation are to be all removed or managed in different systems. |
| Risk | If you fail to meet the management standards, the system information may be open and used for another. | |
| Directory Listing | Description | This is about an attack in relation to the function of allowing indexing of the web server directory or directory with important information. In case of such an attack, file list in directory is likely to be exposed. |
| Cause of Occurrence | It occurs either when the current function is configured as on or due to bugs in some applications. | |
| Risk | Hackers can figure out the structure of the web application system and see configuration files which include sensitive information. They can use them to make multiple attacks. | |
| Source Code Disclosure | Description | This is about an attack in relation to an exposure of source code due to a failure of web server script file. |
| Cause of Occurrence | It occurs either when the web server fails to recognize script file or due to bugs in the application itself. | |
| Risk | Attackers can get access to important information such as the server directory path, DB connection information, and the application internal logic by obtaining a source code. | |
| Information Disclosure | Description | This type of vulnerability exposes information on the web service that the attacker can take advantage of, such as server or error information. |
| Cause of Occurrence | This type of vulnerability occurs when there is inadequate handling of various error messages or server settings. | |
| Risk | An attacker can exploit this vulnerability to collect information, such as the server environment, directory path, or the library information of the web server. | |
| URL Redirection | Description | This is about an attack in relation to the function of allowing users to be redirected against the users’ intention. |
| Cause of Occurrence | It occurs when you fail to completely check if a URL is right before it is directed. | |
| Risk | Attackers can redirect users to a phishing or malicious code page. | |
| Insecure SSL/TLS | Description | This is about an attack in relation to the use of insecure SSL/TLS versions. |
| Cause of Occurrence | It occurs when you use insecure SSL/TLS or cipher suites. | |
| Risk | Generally, attackers can attack on Man-In-The-Middle (MITM) which is able to decipher encrypted data. Then, important information included in memory such as server key can be exposed according to OpenSSL used in the server. | |
| Mixed Content | Description | This is about an attack in relation to the use of HTTP leading to a leak of important content which is to be protected. |
| Cause of Occurrence | It occurs when you mix HTTP and HTTPS while in use. | |
| Risk | Attackers can collect or manipulate the non-encrypted content which uses HTTP protocol. |
Notes for Use
- 1) If a script is executed during the crawling or diagnosis process, a test value may be recorded or data may be changed or deleted.
Web Security Checker may click a button or a link to execute functions while processing the web page dynamically to maximize information crawling. While doing so, there may be some unintentional change or deletion of data or input of test data. Despite being designed to avoid such actions, it may still occur depending on the developed code. - 2) An email may be sent to the website administrator.
If the web service implements a feature to send an email to the administrator, an email with a test value could be sent. - 3) An increase of traffic can occur during the diagnosis.
Our in-house developed diagnosis algorithm is designed to minimize traffic occurrence, however some traffic may occur due to the nature of the vulnerability diagnosis solution. - 4) A delay in the response time of the website.
Web Security Checker transmits large number of HTTP packets to the web server for a clear diagnosis of the web vulnerabilities. Therefore, various safety measures and optimized diagnosis algorithms have been adapted to minimize requests and to avoid slowing down the web response time. Despite it generating safer traffic and lower volumes compared to S/W designed for similar operations, the response time may be delayed for some sites, depending on the implemented code. In particular, you may experience a delay if a SQL related vulnerability exists in the site due to coding.
Tips for a Safer Diagnosis
- 1) Use the test environment.
Web Security Checker is designed for a relatively safe operation. Nevertheless, precaution is required as some unintended actions may occur in the process of meticulously searching for vulnerabilities. If you use a test environment that is not a real server, such as alpha, beta, or development servers, you can receive a safer diagnosis service. - 2) Use backup and monitoring.
If you use the aforementioned test environment and also conduct backup and monitoring prior to the diagnosis, you can minimize potential risks for a safer diagnosis service.
※ The NAVER CLOUD PLATFORM Monitoring service is provided free of charge. Use this service for safer use of the diagnosis service. - 3) Utilize 'Excluded URLs.'
You can enter URLs to exclude from the diagnosis using the ‘Enter Details of Excluded Targets’ feature. Enter the information of pages that may have great effect on the service or pages that need blocking of script execution during crawling/diagnosis and exclude them from diagnosis.
- 4) If a login is required, grant appropriate rights to the account.
An unintended action occurring on an administrator or developer's account has a much higher risk than general accounts. If a login is required via ID/PW input or Cookie, make sure only appropriate rights are granted for the accounts.
- 5) Use the booking feature to diagnose at hours with less user traffic.
A safe diagnosis is essential for officially launched services. Therefore it is recommended that you conduct diagnosis at hours with low user traffic, such as early morning hours.
Sample Report
The vulnerability report includes results on preset information, details on each vulnerability, and a specific countermeasure.
Pricing Information
We provide a flexible price plan depending on the usage amount.
Web Security Checker fees are charged based on the number of diagnoses.
| Billing Standard (Times) | Usage Fee (in KRW) |
|---|---|
| Per No. of Diagnosis | 400,000 KRW |
* In case of diagnosing the same target within sixty days after the first diagnosis, you can diagnose the vulnerability up to two additional times without additional cost.
- Same target means the website with the same URL as the public IP of the initially scanned website.
- Once the valid period or number of available rediagnosis is exceeded, the fee will be calculated as a new diagnosis.
*In the following cases, you will not be charged and not be given security diagnostics.
- You will not be charged if:
- Web Security Checker fails to detect and diagnose vulnerabilities for its system fault.
- you ask to stop the diagnostic process during the scan.
- Customer Support Center quits the diagnostic process at your request during the scan.
- a normal access is not available to the website to be diagnosed.
Please note that all cases other than circumstances described above will be normally charged and you should check necessary issues, if any, prior to the process start.
Was this page helpful?