Google Gruyere

Summary

Google Gruyere is an educational codelab developed by Bruce Leban, Mugdha Bendre, and Parisa Tabriz to demonstrate common security vulnerabilities in web applications and provide solutions to these problems. It serves as a practical platform for learning how to identify and avoid security risks.

Requirements

• Operating system: Not specific, as it is web-based
• Additional software: An up-to-date web browser

Description

The Codelab is organized by types of vulnerabilities. In each section you will find a short description of a vulnerability and a task to find an example of this vulnerability in Gruyere. Our task now is to slip into the role of a malicious hacker and find and exploit the vulnerabilities.

If needed, there are further hints. There are also solutions on how to eliminate these security gaps.

In the Codelab, we will use both black-box hacking and white-box hacking. Black-box hacking involves trying to find vulnerabilities by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess the server behavior. You do not have access to the source code.

With white-box hacking, you have access to the source code and can perform automated or manual analysis to find errors. You can therefore treat Gruyere as if it were open source: read through the source code and try to find errors. Gruyere is written in Python, so a certain familiarity with Python can be helpful. However, the vulnerabilities covered are not Python-specific, and you can do most of the exercise without having to look at the code.

Access

To access Google Gruyere follow the following Steps:

Step 1

Visit the Google Gruyere website and follow the instructions to start the exercises.

Step 2

After that, click "Continue". This will lead you to Part1 of the Website, where you lern how to access Gruyere, view the code and you will be given a few tasks to familiarize yourself with Gruyere. If you proceed to click "Continue" you will get to Part 2 - 5 of the Gruyere Website, where the challenges will be listed.

Step 3

Now you can open the Start link to access the codelab.

Concepts used

• Cross-Site Scripting (XSS)
• Client-State Manipulation
• Cross-Site Request Forgery (XSRF)
• Cross Site Script Inclusion (XSSI)
• Path Traversal
• Denial of Service (DoS)
• Code Execution
• Configuration Vulnerabilities
• AJAX Vulnerabilities

Similar Codelabs

• OWASP Webgoat
• DVWA (Damn Vulnerable Web Application)
• bWAPP (Buggy Web Application)

References

• https://google-gruyere.appspot.com/
• https://google-gruyere.appspot.com/part1
• https://google-gruyere.appspot.com/start
• https://owasp.org/www-project-top-ten/
• https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload