Testing Blog
Do Know Evil
Thursday, May 6, 2010
Web Application Exploits and Defenses
by Bruce Leban in Google Kirkland
http://google-gruyere.appspot.com/
If you want your application to be as secure as possible, you need to
learn how Evil People think.
And you'll want to use that knowledge to
do penetration testing:
attacking your own application to try to find bugs.
To help you
understand ho
w applications can be attacked
and how to protect them from attack,
we've created the
“Web Application Exploits and Defenses” codelab
.
Th
e codelab uses
Gruyere
, a small, cheesy, web application that is full of real world bugs.
In the codelab, you'll learn how to:
Attack a web application
to find and exploit common web security vulnerabilities.
Avoid and fix these common bugs.
Gruyere is chock full of cool features, and
the more features
an application has
th
e larger the attac
k surface.
Your application probably has features just like these:
Can you match each feature to the vulnerability that it exposes and the exploit it enables?
Feature
New template language
HTML allowed in snippets
File upload capability
AJAX
Web-based admin console
Vulnerability
Cross Site Scripting (XSS)
Cross Site Request Forgery (XSRF)
Cross Site Script Inclusion (XSSI)
Path traversal
Client-state manipulation
Exploit
Information disclosure
Elevation of privilege
Denial of Service (DoS)
Spoofing
Code execution
Ha! Tricked you! Each of these features introduces multiple vulnerabilities. And each vulnerability can be exploited in multiple ways.
The codelab walks you step by step through each vulnerability
,
with progressive hints guiding you on how to find them, how to exploit them and how to avoid them.
Here are
some
examples of
fictitious
attacks
against Google applications. Do you recognize them? (answers below)
http://www.gmail.com/?search=in:spam+%3Cscript%3EmoveToInbox(selectAll())%3C/script%3E
http://www.blogger.com/delete-blog.g
http://www.picasa.com/../../../../../../../etc/passwd
http://www.youtube.com/admin?v=Vr0oK3gMzK&action=rickroll
http://checkout.google.com/buy?order=4815162342&total=0.01
Are you sure that your application isn't vulnerable to similar attacks!?
Check out the
Toilet-Friendly Version for the answers
1 comment :
DiegoCarpintero
May 7, 2010 at 1:11 AM
Great!! really cool stuff :) thx
Reply
Delete
Replies
Reply
Add comment
Load more...
Labels
Aaron Jacobs
1
Adam Porter
1
Alan Faulkner
1
Alan Myrvold
1
Alberto Savoia
4
Alek Icev
2
Alex Eagle
1
Allen Hutchison
6
Andrew Trenk
8
Android
1
Anthony Vallone
25
Antoine Picard
1
APIs
2
App Engine
1
April Fools
2
Arif Sukoco
1
Bruce Leban
1
C++
11
Chaitali Narla
2
Christopher Semturs
1
Chrome
3
Chrome OS
2
Dave Chen
1
Diego Salas
2
Dmitry Vyukov
1
Dori Reuveni
1
Eduardo Bravo Ortiz
1
Ekaterina Kamenskaya
1
Erik Kuefler
3
Espresso
1
George Pirocanac
2
Google+
1
Goranka Bjedov
1
GTAC
54
Hank Duan
1
Harry Robinson
5
Havard Rast Blok
1
Hongfei Ding
1
James Whittaker
42
Jason Arbon
2
Jason Elbaum
1
Jason Huggins
1
Java
5
JavaScript
7
Jay Han
1
Jessica Tomechak
1
Jim Reardon
1
Jobs
14
Joe Allan Muharsky
1
Joel Hynoski
1
John Penix
1
John Thomas
3
Jonathan Rockway
1
Jonathan Velasquez
1
Julian Harty
5
Julie Ralph
1
Karin Lundberg
1
Kaue Silveira
1
Kevin Graney
1
Kirkland
1
Kurt Alfred Kluever
1
Lesley Katzen
1
Marc Kaplan
3
Mark Ivey
1
Mark Striebeck
1
Marko Ivanković
1
Markus Clermont
3
Michael Bachman
1
Michael Klepikov
1
Mike Wacker
1
Misko Hevery
32
Mobile
2
Mona El Mahdy
1
Noel Yap
1
Patricia Legaspi
1
Patrick Copeland
23
Patrik Höglund
5
Peter Arrenbrecht
1
Phil Rollet
1
Philip Zembrod
4
Pooja Gupta
1
Radoslav Vasilev
1
Rajat Dewan
1
Rajat Jain
1
Rich Martin
1
Richard Bustamante
1
Roshan Sembacuttiaratchy
1
Ruslan Khamitov
1
Sean Jordan
1
Sharon Zhou
1
Shyam Seshadri
4
Simon Stewart
2
Stephen Ng
1
Tejas Shah
1
Test Analytics
1
Tony Voellm
2
TotT
54
Vojta Jína
1
WebRTC
2
Yvette Nameth
2
Zhanyong Wan
6
Zuri Kemp
2
Archive
2015
December
November
October
August
June
May
April
March
February
January
2014
December
November
October
September
August
July
June
May
April
March
February
January
2013
December
November
October
August
July
June
May
April
March
January
2012
December
November
October
September
August
2011
November
October
September
August
July
June
May
April
March
February
January
2010
December
November
October
September
August
July
June
May
GTAC: Call for Attendance & Proposals
Do Know Evil
April
March
February
January
2009
December
November
October
September
August
July
June
May
April
February
January
2008
December
November
October
September
August
July
June
May
April
March
February
January
2007
October
September
August
July
June
May
April
March
February
January
Feed
Follow @googletesting
Great!! really cool stuff :) thx
ReplyDelete