Read More

Google Test Automation Conference (GTAC) 2010

Call for Attendance & Proposals

We are happy to announce that the application process is now open for Attendance and Proposals for the Fifth Google Test Automation Conference (GTAC), to be held in Hyderabad, India on October 28 - 29th.

As in previous years, GTAC is an invitation only conference where we enable sharing of great ideas and active participation to challenge and refine our thoughts and experiences. As such the the application process expects you to share your ideas and insights that you would bring to the conference and how these would further the discussion about this year’s theme of Test to Testability. This information will help the committee select a balanced audience of seasoned practitioners, students and academics.

Also this year, we are introducing a participant-driven format that will give the power to the attendees to select and voice their opinion on the speakers and the content! To make these changes, we are opening up proposals and attendance applications simultaneously. Once the initial set of participants are finalized, we will conduct online viewing and voting by the participants for presentations.

How to apply
For Attendance: Please visit http://www.gtac.biz/call-for-attendance
For Proposals (to present): Please visit http://www.gtac.biz/call-for-proposals

Deadline
The due date for both categories of applications is July 9th, 2010.

Registration Fees
There are no registration fees. Please check the FAQ page for more information.

Further information
General website: http://www.gtac.biz/
Call for proposals: http://www.gtac.biz/call-for-proposals
Call for attendance: http://www.gtac.biz/call-for-attendance
FAQ: http://www.gtac.biz/faq
Questions: Email us at gtac-2010@google.com

We look forward to your applications and a great GTAC!
Finally we would appreciate your help in helping us spread the word about this event.

Regards
Sujay Sahni on behalf of the GTAC 2010 Committee

• Attack a web application to find and exploit common web security vulnerabilities.
• Avoid and fix these common bugs.

Read More

Web Application Exploits and Defenses

by Bruce Leban in Google Kirkland

http://google-gruyere.appspot.com/

If you want your application to be as secure as possible, you need to learn how Evil People think. And you'll want to use that knowledge to do penetration testing: attacking your own application to try to find bugs.

To help you understand how applications can be attacked and how to protect them from attack, we've created the “Web Application Exploits and Defenses” codelab. The codelab uses Gruyere, a small, cheesy, web application that is full of real world bugs.

In the codelab, you'll learn how to:

• Attack a web application to find and exploit common web security vulnerabilities.
• Avoid and fix these common bugs.

Gruyere is chock full of cool features, and the more features an application has the larger the attack surface. Your application probably has features just like these:

Can you match each feature to the vulnerability that it exposes and the exploit it enables?

Feature

New template language HTML allowed in snippets File upload capability AJAX Web-based admin console

Vulnerability

Cross Site Scripting (XSS) Cross Site Request Forgery (XSRF) Cross Site Script Inclusion (XSSI) Path traversal Client-state manipulation

Exploit

Information disclosure Elevation of privilege Denial of Service (DoS) Spoofing Code execution

Ha! Tricked you! Each of these features introduces multiple vulnerabilities. And each vulnerability can be exploited in multiple ways. The codelab walks you step by step through each vulnerability, with progressive hints guiding you on how to find them, how to exploit them and how to avoid them.

Here are some examples of fictitious attacks against Google applications. Do you recognize them? (answers below)

http://www.gmail.com/?search=in:spam+%3Cscript%3EmoveToInbox(selectAll())%3C/script%3E http://www.blogger.com/delete-blog.g http://www.picasa.com/../../../../../../../etc/passwd http://www.youtube.com/admin?v=Vr0oK3gMzK&action=rickroll http://checkout.google.com/buy?order=4815162342&total=0.01

Are you sure that your application isn't vulnerable to similar attacks!?

Check out the Toilet-Friendly Version for the answers