Difference between revisions of "Google Gruyere"
LHaidinger (talk | contribs) |
LHaidinger (talk | contribs) |
||
| Line 13: | Line 13: | ||
== Description == | == Description == | ||
The Codelab is organized by types of vulnerabilities. In each section you will find a short description of a vulnerability and a task to find an example of this vulnerability in Gruyere. Our task now is to slip into the role of a malicious hacker and find and exploit the vulnerabilities. | |||
If needed, there are further hints. There are also solutions on how to eliminate these security gaps. | |||
In the Codelab, we will use both black-box hacking and white-box hacking. Black-box hacking involves trying to find vulnerabilities by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess the server behavior. You do not have access to the source code. | |||
With white-box hacking, you have access to the source code and can perform automated or manual analysis to find errors. You can therefore treat Gruyere as if it were open source: read through the source code and try to find errors. Gruyere is written in Python, so a certain familiarity with Python can be helpful. However, the vulnerabilities covered are not Python-specific, and you can do most of the exercise without having to look at the code. | |||
== Access == | |||
To access Google Gruyere follow the following Steps: | |||
=== Step 1 === | === Step 1 === | ||
Visit the | Visit the [https://google-gruyere.appspot.com Google Gruyere website] and follow the instructions to start the exercises. | ||
=== Step 2 === | === Step 2 === | ||
After that, click "Continue". This will lead you to [https://google-gruyere.appspot.com/part1 Part1] of the Website, where you lern how to access Gruyere, view the code and you will be given a few tasks to familiarize yourself with Gruyere. If you proceed to click "Continue" you will get to Part 2 - 5 of the Gruyere Website, where the challenges will be listed. | |||
=== Step 3 === | |||
Now you can open the [https://google-gruyere.appspot.com/start Start link] to access the codelab. | |||
== | == Challenges used == | ||
* Cross-Site Scripting (XSS) | * Cross-Site Scripting (XSS) | ||
| Line 37: | Line 49: | ||
* Configuration Vulnerabilities | * Configuration Vulnerabilities | ||
* AJAX Vulnerabilities | * AJAX Vulnerabilities | ||
== Similar Codelabs == | |||
* [https://owasp.org/www-project-webgoat/ OWASP Webgoat] | |||
* [https://medium.com/@sraaz880/dvwa-dc528ea95a82 DVWA (Damn Vulnerable Web Application)] | |||
* [https://infosecwriteups.com/bwapp-a-vulnerable-web-application-for-practicing-vulnerabilities-installation-guide-146637e2da92 bWAPP (Buggy Web Application)] | |||
== References == | == References == | ||
Revision as of 09:34, 15 December 2023
Summary
Google Gruyere is an educational codelab developed by Bruce Leban, Mugdha Bendre, and Parisa Tabriz to demonstrate common security vulnerabilities in web applications and provide solutions to these problems. It serves as a practical platform for learning how to identify and avoid security risks.
-
Google Gruyere; source: https://googlegruyere.appspot.com
Requirements
- Operating system: Not specific, as it is web-based
- Additional software: An up-to-date web browser
Description
The Codelab is organized by types of vulnerabilities. In each section you will find a short description of a vulnerability and a task to find an example of this vulnerability in Gruyere. Our task now is to slip into the role of a malicious hacker and find and exploit the vulnerabilities.
If needed, there are further hints. There are also solutions on how to eliminate these security gaps.
In the Codelab, we will use both black-box hacking and white-box hacking. Black-box hacking involves trying to find vulnerabilities by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess the server behavior. You do not have access to the source code.
With white-box hacking, you have access to the source code and can perform automated or manual analysis to find errors. You can therefore treat Gruyere as if it were open source: read through the source code and try to find errors. Gruyere is written in Python, so a certain familiarity with Python can be helpful. However, the vulnerabilities covered are not Python-specific, and you can do most of the exercise without having to look at the code.
Access
To access Google Gruyere follow the following Steps:
Step 1
Visit the Google Gruyere website and follow the instructions to start the exercises.
Step 2
After that, click "Continue". This will lead you to Part1 of the Website, where you lern how to access Gruyere, view the code and you will be given a few tasks to familiarize yourself with Gruyere. If you proceed to click "Continue" you will get to Part 2 - 5 of the Gruyere Website, where the challenges will be listed.
Step 3
Now you can open the Start link to access the codelab.
Challenges used
- Cross-Site Scripting (XSS)
- Client-State Manipulation
- Cross-Site Request Forgery (XSRF)
- Cross Site Script Inclusion (XSSI)
- Path Traversal
- Denial of Service (DoS)
- Code Execution
- Configuration Vulnerabilities
- AJAX Vulnerabilities