Google Testing Blog: Do Know Evil

Thursday, May 06, 2010

Web Application Exploits and Defenses

by Bruce Leban in Google Kirkland

http://google-gruyere.appspot.com/

If you want your application to be as secure as possible, you need to learn how Evil People think. And you'll want to use that knowledge to do penetration testing: attacking your own application to try to find bugs.

To help you understand how applications can be attacked and how to protect them from attack, we've created the “Web Application Exploits and Defenses” codelab. The codelab uses Gruyere, a small, cheesy, web application that is full of real world bugs.

In the codelab, you'll learn how to:

Attack a web application to find and exploit common web security vulnerabilities.
Avoid and fix these common bugs.

Gruyere is chock full of cool features, and the more features an application has the larger the attack surface. Your application probably has features just like these:

Can you match each feature to the vulnerability that it exposes and the exploit it enables?

Feature

New template language
HTML allowed in snippets
File upload capability
AJAX
Web-based admin console

Vulnerability

Cross Site Scripting (XSS)
Cross Site Request Forgery (XSRF)
Cross Site Script Inclusion (XSSI)
Path traversal
Client-state manipulation

Exploit

Information disclosure
Elevation of privilege
Denial of Service (DoS)
Spoofing
Code execution

Ha! Tricked you! Each of these features introduces multiple vulnerabilities. And each vulnerability can be exploited in multiple ways. The codelab walks you step by step through each vulnerability, with progressive hints guiding you on how to find them, how to exploit them and how to avoid them.

Here are some examples of fictitious attacks against Google applications. Do you recognize them? (answers below)

http://www.gmail.com/?search=in:spam+%3Cscript%3EmoveToInbox(selectAll())%3C/script%3E
http://www.blogger.com/delete-blog.g
http://www.picasa.com/../../../../../../../etc/passwd
http://www.youtube.com/admin?v=Vr0oK3gMzK&action=rickroll
http://checkout.google.com/buy?order=4815162342&total=0.01

Are you sure that your application isn't vulnerable to similar attacks!?

Check out the Toilet-Friendly Version for the answers

7 comments :

HemantGaurMay 6, 2010 at 10:56:00 AM PDT
Nice article. Any reason for not including SQL injection and man-in-middle attacks which are also frequented in the web attacks.
ReplyDelete
Replies
Diego CMay 7, 2010 at 1:11:00 AM PDT
Great!! really cool stuff :) thx
ReplyDelete
Replies
AnonymousMay 21, 2010 at 1:19:00 AM PDT
Useful artile. Thanks for posting.
ReplyDelete
Replies
Kristian J.May 28, 2010 at 12:34:00 PM PDT
This isn't really an exhaustive list. http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project lists the top ten but there are many more. Remember what your fearless leader said about security. I believe that "paranoid" was the word that he choose. :) Best of luck with your security testing.
ReplyDelete
Replies
AnonymousMay 30, 2010 at 11:18:00 PM PDT
Nice article, will like to know more information on it. Cool stuff :)
ReplyDelete
Replies
MarkMay 30, 2010 at 11:49:00 PM PDT
User full article with lots of cool stuff. Like o know more about it
ReplyDelete
Replies
AnonymousMay 31, 2010 at 12:25:00 AM PDT
Nice and a very useful article :) recommend it to all my friends in testing
ReplyDelete
Replies

The comments you read and contribute here belong only to the person who posted them. We reserve the right to remove off-topic comments.

Testing Blog

Do Know Evil

7 comments :

Labels

Archive

Feed