The latest news and insights from Google on security and safety on the Internet
May 4, 2010
Do Know Evil: web application vulnerabilities
UPDATE July 13: We have changed the name of the codelab application to Gruyere. The codelab is now located at http://google-gruyere.appspot.com.
We want Google employees to have a firm understanding of the threats our services face, as well as how to help protect against those threats. We work toward these goals in a variety of ways, including security training for new engineers, technical presentations about security, and other types of documentation. We also use codelabs — interactive programming tutorials that walk participants through specific programming tasks.
One codelab in particular teaches developers about common types of web application vulnerabilities. In the spirit of the thinking that "it takes a hacker to catch a hacker," the codelab also demonstrates how an attacker could exploit such vulnerabilities.
We're releasing this codelab, entitled "Web Application Exploits and Defenses," today in coordination with Google Code University and Google Labs to help software developers better recognize, fix, and avoid similar flaws in their own applications. The codelab is built around Gruyere, a small yet full-featured microblogging application designed to contain lots of security bugs. The vulnerabilities covered by the lab include cross-site scripting (XSS), cross-site request forgery (XSRF) and cross-site script inclusion (XSSI), as well as client-state manipulation, path traversal and AJAX and configuration vulnerabilities. It also shows how simple bugs can lead to information disclosure, denial-of-service and remote code execution.
The maxim, "given enough eyeballs, all bugs are shallow" is only true if the eyeballs know what to look for. To that end, the security bugs in Gruyere are real bugs — just like those in many other applications. The Gruyere source code is published under a Creative Commons license and is available for use in whitebox hacking exercises or in computer science classes covering security, software engineering or general software development.
To get started, visit http://google-gruyere.appspot.com. An instructor's guide for using the codelab is now available on Google Code University.
6 comments:
You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.
Note: Only a member of this blog may post a comment.
"it takes a hacker to catch a hacker,"
ReplyDeleteGREAT!!
Sure this should be titled "Defense against the Dark Arts" at Bugwarts University?
ReplyDeletevint
When you create an account, the user and password are sent by GET method.
ReplyDeleteMaybe, would be better send credentials via a POST form to avoid shoulder-surfing.
I had my wp blog hacked a while back with a script it was nasty. So this looks pretty interesting. I'm surprised it wasn't Jaiku :) I wonder why Google did work that site like they should of. Well anyway Google does many things I don't understand :) Thanks for the op to learn appreciate it
ReplyDeleteI think the lab skipped over bookmarklet attacks. You don't even need to create the link. The home page field could be set to javascript:alert("a"). When I first played around with the web app, I wasn't sure what the home page was (before I configured my account), and I clicked on the only two there.
ReplyDeleteAlso, by having the user expect a link, you can easily make up a phishing scheme (you could use a javascript redirect to replace the page in web history with your own site, which the pretends to be a warning that you are about to leave the site. then you send the user to some boring site, prompting the user to hit the back button. then, thanks to a cookie or remembering the ip address, your fake page asks the user to log in again.)
There are many people stealing information and pasword.
ReplyDeleteplease keep them away from doing it.
Thanks