Do Know Evil: web application vulnerabilities

Hot News Flash

Along with rogue anti-malware, fake anti-piracy utilities are now also being distributed. Many Internet users download music and other media from the net, while being infected by malware from hacked or rogue websites. These Trojans issue fake copyright warning messages to scare the public - They are advised to take their chances in court, or skip the heavy fines and possible jail time by opting for a ‘pre-trial settlement’. They are then directed via hacked websites to another malware site where computers are further infected and where fake financial ‘settlements’ are solicited, and where banking details are provided to criminals.

Do Know Evil: web application vulnerabilities

Posted by Bruce Leban, Software Engineer

We want Google employees to have a firm understanding of the threats our services face, as well as how to help protect against those threats. We work toward these goals in a variety of ways, including security training for new engineers, technical presentations about security, and other types of documentation. We also use codelabs — interactive programming tutorials that walk participants through specific programming tasks.

One codelab in fastidious teaches developers about common types of web application vulnerabilities. In the spirit of the thinking that “it takes a hacker to catch a hacker,” the codelab also demonstrates how an attacker could exploit such vulnerabilities.

We’re releasing this codelab, entitled “Web Application Exploits and Defenses,” now in coordination with Google Code University and Google Labs to help software developers better recognize, fix, and avoid similar flaws in their own applications. The codelab is built around Jarlsberg, a small yet full-featured microblogging application designed to contain lots of security bugs. The vulnerabilities roofed by the lab include cross-site scripting (XSS), cross-site request forgery (XSRF) and cross-site script inclusion (XSSI), as well as client-state manipulation, path traversal and AJAX and configuration vulnerabilities. It also shows how simple bugs can lead to information disclosure, denial-of-benefit and diffident code execution.

The maxim, “given enough eyeballs, all bugs are shallow” is only right if the eyeballs know what to look for. To that end, the security bugs in Jarlsberg are real bugs — just like those in many other applications. The Jarlsberg source code is published under a Creative Commons license and is available for use in whitebox hacking exercises or in computer science classes covering security, software engineering or general software development.

To get started, visit http://jarlsberg.appspot.com. An instructor’s handbook for by the codelab is now available on Google Code University.