A Codelab by Bruce Leban, Mugdha Bendre, and Parisa Tabriz
To access Gruyere, go to
AppEngine will start a new instance of Gruyere for you, assign it a
unique id and redirect you to
123 is your unique id). Each instance of Gruyere
is "sandboxed" from the other instances so your instance won't be
affected by anyone else using Gruyere. You'll need to use your
unique id instead of
123 in all the examples. If you want
to share your instance of Gruyere with someone else (e.g., to show
them a successful attack), just share the full URL with them including
your unique id.
The Gruyere source code is available online so that you can use it for white-box hacking. You can browse the source code at https://google-gruyere.appspot.com/code/ or download all the files from https://google-gruyere.appspot.com/gruyere-code.zip. If want to debug it or actually try fixing the bugs, you can download it and run it locally. You do not need to run Gruyere locally in order to do the lab.
Gruyere is small and compact. Here is a quick rundown of the application code:
gruyere.pyis the main Gruyere web server
data.pystores the default data in the database. There is an administrator account and two default users.
gtl.pyis the Gruyere template language
sanitize.pyis the Gruyere module used for sanitizing HTML to protect the application from security holes.
resources/...holds all template files, images, CSS, etc.
Gruyere includes a number of special features and technologies which add attack surface. We'll highlight them here so you'll be aware of them as you try to attack it. Each of these introduces new vulnerabilities.
feed.gtlwhich contains refresh data for the current page and then client-side script uses the browser DOM API (Document Object Model) to insert the new snippets into the page. Since AJAX runs code on the client side, this script is visible to attackers who do not have access to your source code.
To familiarize yourself with the features of Gruyere, complete the following tasks:
This covers the basic features provided by Gruyere. Now let's break them!
© Google 2017 Terms of Service
The code portions of this codelab are licensed under the Creative Commons Attribution-No Derivative Works 3.0 United States license <https://creativecommons.org/licenses/by-nd/3.0/us>. Brief excerpts of the code may be used for educational or instructional purposes provided this notice is kept intact. Except as otherwise noted the remainder of this codelab is licensed under the Creative Commons Attribution 3.0 United States license <https://creativecommons.org/licenses/by/3.0/us>.