We want Googlers to have a firm understanding of the threats our services face, as well as how to
help protect against those threats. We work toward these goals in a variety of ways, including
security training for new engineers, technical presentations about security, and other types of
documentation. We also use codelabs—interactive programming tutorials that walk participants
through specific programming tasks.
One codelab in particular teaches developers about common types of web application
vulnerabilities. In the spirit of the thinking that "it takes a hacker to catch a hacker," the
codelab also demonstrates how an attacker could exploit such vulnerabilities.
We're releasing this codelab, entitled "Web Application Exploits and Defenses," today in
coordination withGoogle Code UniversityandGoogle Labsto help software developers better recognize, fix, and avoid similar flaws in their own
applications. The codelab is built around Gruyere, a small yet full-featured microblogging
application designed to contain lots of security bugs. The vulnerabilities covered by the lab
include cross-site scripting (XSS), cross-site request forgery (XSRF) and cross-site script
inclusion (XSSI), as well as client-state manipulation, path traversal and AJAX and configuration
vulnerabilities. It also shows how simple bugs can lead to information disclosure,
denial-of-service and remote code execution.
The maxim, "given enough eyeballs, all bugs are shallow" is only true if the eyeballs know what to
look for. To that end, the security bugs in Gruyere are real bugs—just like those in many
other applications. The Gruyere source code is published under a Creative Commons license and is
available for use in whitebox hacking exercises or in computer science classes covering security,
software engineering or general software development.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Missing the information I need","missingTheInformationINeed","thumb-down"],["Too complicated / too many steps","tooComplicatedTooManySteps","thumb-down"],["Out of date","outOfDate","thumb-down"],["Samples / code issue","samplesCodeIssue","thumb-down"],["Other","otherDown","thumb-down"]],[],[[["\u003cp\u003eThis blog post introduces a codelab, "Web Application Exploits and Defenses," designed to teach developers about common web application vulnerabilities.\u003c/p\u003e\n"],["\u003cp\u003eThe codelab utilizes Gruyere, a microblogging application intentionally built with security flaws, to demonstrate real-world vulnerabilities.\u003c/p\u003e\n"],["\u003cp\u003eGruyere's source code is publicly available under a Creative Commons license for use in security training and educational settings.\u003c/p\u003e\n"],["\u003cp\u003eThe codelab covers a range of vulnerabilities including XSS, XSRF, XSSI, client-state manipulation, and more, showcasing their potential impact.\u003c/p\u003e\n"],["\u003cp\u003eDevelopers can access the codelab and its instructor's guide through the provided links to enhance their understanding of web application security.\u003c/p\u003e\n"]]],["A codelab, now named Gruyere, was released to teach developers about web application vulnerabilities. It demonstrates how attackers exploit flaws like cross-site scripting (XSS), request forgery (XSRF), and script inclusion (XSSI), alongside others. The codelab uses a microblogging application filled with security bugs. Gruyere's source code is openly available for security exercises. Developers can access it at the provided link, and an instructor's guide is also provided on the Google Code University website.\n"],null,["# Do know evil\n\n| It's been a while since we published this blog post. Some of the information may be outdated (for example, some images may be missing, and some links may not work anymore).\n\nTuesday, May 04, 2010\n\n\n*Cross-posted on the\n[Google Online Security Blog](https://googleonlinesecurity.blogspot.com/2010/05/do-know-evil-web-application)*\n| UPDATE July 13: We have changed the name of the codelab application to Gruyere. The codelab is now located at [https://google-gruyere.appspot.com](https://google-gruyere.appspot.com/).\n\n\nWe want Googlers to have a firm understanding of the threats our services face, as well as how to\nhelp protect against those threats. We work toward these goals in a variety of ways, including\nsecurity training for new engineers, technical presentations about security, and other types of\ndocumentation. We also use codelabs---interactive programming tutorials that walk participants\nthrough specific programming tasks.\n\n\nOne codelab in particular teaches developers about common types of web application\nvulnerabilities. In the spirit of the thinking that \"it takes a hacker to catch a hacker,\" the\ncodelab also demonstrates how an attacker could exploit such vulnerabilities.\n\n\nWe're releasing this codelab, entitled \"Web Application Exploits and Defenses,\" today in\ncoordination with\n[Google Code University](https://code.google.com/edu) and\n[Google Labs](https://www.googlelabs.com/)\nto help software developers better recognize, fix, and avoid similar flaws in their own\napplications. The codelab is built around Gruyere, a small yet full-featured microblogging\napplication designed to contain lots of security bugs. The vulnerabilities covered by the lab\ninclude cross-site scripting (XSS), cross-site request forgery (XSRF) and cross-site script\ninclusion (XSSI), as well as client-state manipulation, path traversal and AJAX and configuration\nvulnerabilities. It also shows how simple bugs can lead to information disclosure,\ndenial-of-service and remote code execution.\n\n\nThe maxim, \"given enough eyeballs, all bugs are shallow\" is only true if the eyeballs know what to\nlook for. To that end, the security bugs in Gruyere are real bugs---just like those in many\nother applications. The Gruyere source code is published under a Creative Commons license and is\navailable for use in whitebox hacking exercises or in computer science classes covering security,\nsoftware engineering or general software development.\n\n\nTo get started, visit\n\u003chttps://google-gruyere.appspot.com/\u003e.\nAn instructor's guide for using the codelab is now available on\n[Google Code University](https://code.google.com/edu/security/index).\n\nPosted by Bruce Leban, Software Engineer"]]
