May 6th, 2010 | Published in Google Testing
by Bruce Leban in Google Kirkland
If you want your application to be as secure as possible, you need to learn how Evil People think. And you'll want to use that knowledge to do penetration testing: attacking your own application to try to find bugs.
To help you understand how applications can be attacked and how to protect them from attack, we've created the “Web Application Exploits and Defenses” codelab. The codelab uses Gruyere, a small, cheesy, web application that is full of real world bugs.
In the codelab, you'll learn how to:
Attack a web application to find and exploit common web security vulnerabilities.
Avoid and fix these common bugs.
Gruyere is chock full of cool features, and the more features an application has the larger the attack surface. Your application probably has features just like these:
Can you match each feature to the vulnerability that it exposes and the exploit it enables?
New template language
HTML allowed in snippets
File upload capability
Web-based admin console
Cross Site Scripting (XSS)
Cross Site Request Forgery (XSRF)
Cross Site Script Inclusion (XSSI)
Elevation of privilege
Denial of Service (DoS)
Ha! Tricked you! Each of these features introduces multiple vulnerabilities. And each vulnerability can be exploited in multiple ways. The codelab walks you step by step through each vulnerability, with progressive hints guiding you on how to find them, how to exploit them and how to avoid them.
Here are some examples of fictitious attacks against Google applications. Do you recognize them? (answers below)
Are you sure that your application isn't vulnerable to similar attacks!?
Check out the Toilet-Friendly Version for the answers