Hey Azher, Any app-level security tests are going to be fine: injection, CSRF, XSS, etc., will be fine to test, since we don't monitor or prevent this in any way. It's up to app developers to safeguard from these app-level vulnerabilities.
However, when it comes to DOS, be aware that our infrastructure does actively prevent these, as you can read in the Security Whitepaper <https://cloud.google.com/security/whitepaper>: All traffic is routed through custom GFE (Google Front End) servers to > detect and stop malicious requests and Distributed Denial of Service (DDoS) > attacks. > Conducting a (D)DOS attack, whether "real" or a "test" (they're ultimately identical in terms of network packets), will have the result of potentially rousing the infrastructure security systems from slumber, and might result in black-listing the IPs you used as your launchpad for the (D)DOS. Additionally, note that attempting to break out of the security sandbox is of course in violation of the Terms of Service <https://cloud.google.com/terms/>, and you'll want to take a look at that as well before proceeding. Do you have any further questions related to security and pen-testing? -- Nick On Thursday, June 25, 2015 at 5:15:08 AM UTC-4, Azher Uddin Farooqi wrote: > > Hi, > > We are starting penetration testing (for DOS, CSRF and XSS attacks etc.) > on Google App Engine. Do you see any issues ? > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/167777ce-dc04-455e-9638-9f4a07dca9dd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
