google-gruyere.appspot.com Open in urlscan Pro
2a00:1450:4001:806::2014  Public Scan

URL: https://google-gruyere.appspot.com/
Submission: On November 09 via api from IN — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

WEB APPLICATION EXPLOITS AND DEFENSES

A Codelab by Bruce Leban, Mugdha Bendre, and Parisa Tabriz

Table of Contents
 * Beat the hackers
 * Gruyere
 * Set-up
   * Reset Button
   * About the Code
   * Features and Technologies
 * Using Gruyere
 * Cross-Site Scripting (XSS)
   * XSS Challenges
   * File Upload XSS
   * Reflected XSS
   * Stored XSS
   * Stored XSS via HTML Attribute
   * Stored XSS via AJAX
   * Reflected XSS via AJAX
   * More about XSS
 * Client-State Manipulation
   * Elevation of Privilege
   * Cookie Manipulation
 * Cross-Site Request Forgery (XSRF)
   * XSRF Challenge
   * More about preventing XSRF
 * Cross Site Script Inclusion (XSSI)
   * XSSI Challenge
 * Path Traversal
   * Information disclosure via path traversal
   * Data tampering via path traversal
 * Denial of Service
   * DoS - Quit the Server
   * DoS - Overloading the Server
   * More on Denial of Service
 * Code Execution
   * Code Execution Challenge
   * More on Remote Code Execution
 * Configuration Vulnerabilities
   * Information disclosure #1
   * Information disclosure #2
   * Information disclosure #3
 * AJAX vulnerabilities
   * DoS via AJAX
   * Phishing via AJAX
 * Other Vulnerabilities
   * Buffer Overflow and Integer Overflow
   * SQL Injection
 * After the Codelab







WANT TO BEAT THE HACKERS AT THEIR OWN GAME?

 * Learn how hackers find security vulnerabilities!
 * Learn how hackers exploit web applications!
 * Learn how to stop them!



This codelab shows how web application vulnerabilities can be exploited and how
to defend against these attacks. The best way to learn things is by doing, so
you'll get a chance to do some real penetration testing, actually exploiting a
real application. Specifically, you'll learn the following:



 * How an application can be attacked using common web security vulnerabilities,
   like cross-site scripting vulnerabilities (XSS) and cross-site request
   forgery (XSRF).
 * How to find, fix, and avoid these common vulnerabilities and other bugs that
   have a security impact, such as denial-of-service, information disclosure, or
   remote code execution.

To get the most out of this lab, you should have some familiarity with how a web
application works (e.g., general knowledge of HTML, templates, cookies, AJAX,
etc.).




GRUYERE

This codelab is built around Gruyere /ɡruːˈjɛər/ - a small, cheesy web
application that allows its users to publish snippets of text and store assorted
files. "Unfortunately," Gruyere has multiple security bugs ranging from
cross-site scripting and cross-site request forgery, to information disclosure,
denial of service, and remote code execution. The goal of this codelab is to
guide you through discovering some of these bugs and learning ways to fix them
both in Gruyere and in general.

The codelab is organized by types of vulnerabilities. In each section, you'll
find a brief description of a vulnerability and a task to find an instance of
that vulnerability in Gruyere. Your job is to play the role of a malicious
hacker and find and exploit the security bugs. In this codelab, you'll use both
black-box hacking and white-box hacking. In black box hacking, you try to find
security bugs by experimenting with the application and manipulating input
fields and URL parameters, trying to cause application errors, and looking at
the HTTP requests and responses to guess server behavior. You do not have access
to the source code, although understanding how to view source and being able to
view http headers (as you can in Chrome or LiveHTTPHeaders for Firefox) is
valuable. Using a web proxy like Burp or ZAP may be helpful in creating or
modifying requests. In white-box hacking, you have access to the source code and
can use automated or manual analysis to identify bugs. You can treat Gruyere as
if it's open source: you can read through the source code to try to find bugs.
Gruyere is written in Python, so some familiarity with Python can be helpful.
However, the security vulnerabilities covered are not Python-specific and you
can do most of the lab without even looking at the code. You can run a local
instance of Gruyere to assist in your hacking: for example, you can create an
administrator account on your local instance to learn how administrative
features work and then apply that knowledge to the instance you want to hack.
Security researchers use both hacking techniques, often in combination, in real
life.


We'll tag each challenge to indicate which techniques are required to solve
them:

Challenges that can be solved just by using black box techniques.

Challenges that require that you look at the Gruyere source code.

Challenges that require some specific knowledge of Gruyere that will be given in
the first hint.


WARNING: Accessing or attacking a computer system without authorization is
illegal in many jurisdictions. While doing this codelab, you are specifically
granted authorization to attack the Gruyere application as directed. You may not
attack Gruyere in ways other than described in this codelab, nor may you attack
App Engine directly or any other Google service. You should use what you learn
from the codelab to make your own applications more secure. You should not use
it to attack any applications other than your own, and only do that with
permission from the appropriate authorities (e.g., your company's security
team).



Continue >>



© Google 2017 Terms of Service
The code portions of this codelab are licensed under the Creative Commons
Attribution-No Derivative Works 3.0 United States license
<https://creativecommons.org/licenses/by-nd/3.0/us>. Brief excerpts of the code
may be used for educational or instructional purposes provided this notice is
kept intact. Except as otherwise noted the remainder of this codelab is licensed
under the Creative Commons Attribution 3.0 United States license
<https://creativecommons.org/licenses/by/3.0/us>.