Web Application Exploits and Defenses (Part 1)

• Beat the hackers
• Gruyere
• Set-up
  • Reset Button
  • About the Code
  • Features and Technologies
• Using Gruyere
• Cross-Site Scripting (XSS)
  • XSS Challenges
  • File Upload XSS
  • Reflected XSS
  • Stored XSS
  • Stored XSS via HTML Attribute
  • Stored XSS via AJAX
  • Reflected XSS via AJAX
  • More about XSS
• Client-State Manipulation
  • Elevation of Privilege
  • Cookie Manipulation
• Cross-Site Request Forgery (XSRF)
  • XSRF Challenge
  • More about preventing XSRF
• Cross Site Script Inclusion (XSSI)
  • XSSI Challenge
• Path Traversal
  • Information disclosure via path traversal
  • Data tampering via path traversal
• Denial of Service
  • DoS - Quit the Server
  • DoS - Overloading the Server
  • More on Denial of Service
• Code Execution
  • Code Execution Challenge
  • More on Remote Code Execution
• Configuration Vulnerabilities
  • Information disclosure #1
  • Information disclosure #2
  • Information disclosure #3
• AJAX vulnerabilities
  • DoS via AJAX
  • Phishing via AJAX
• Other Vulnerabilities
  • Buffer Overflow and Integer Overflow
  • SQL Injection
• After the Codelab

Setup

To access Gruyere, go to https://google-gruyere.appspot.com/start. AppEngine will start a new instance of Gruyere for you, assign it a unique id and redirect you to https://google-gruyere.appspot.com/123/ (where 123 is your unique id). Each instance of Gruyere is "sandboxed" from the other instances so your instance won't be affected by anyone else using Gruyere. You'll need to use your unique id instead of 123 in all the examples. If you want to share your instance of Gruyere with someone else (e.g., to show them a successful attack), just share the full URL with them including your unique id.

The Gruyere source code is available online so that you can use it for white-box hacking. You can browse the source code at https://google-gruyere.appspot.com/code/ or download all the files from https://google-gruyere.appspot.com/gruyere-code.zip. If want to debug it or actually try fixing the bugs, you can download it and run it locally. You do not need to run Gruyere locally in order to do the lab.

$ cd <gruyere-directory>
$ ./gruyere.py

Reset Button

https://google-gruyere.appspot.com/resetbutton/123

About the Code

Gruyere is small and compact. Here is a quick rundown of the application code:

• gruyere.py is the main Gruyere web server
• data.py stores the default data in the database. There is an administrator account and two default users.
• gtl.py is the Gruyere template language
• sanitize.py is the Gruyere module used for sanitizing HTML to protect the application from security holes.
• resources/... holds all template files, images, CSS, etc.

Features and Technologies

Gruyere includes a number of special features and technologies which add attack surface. We'll highlight them here so you'll be aware of them as you try to attack it. Each of these introduces new vulnerabilities.

• HTML in Snippets: Users can include a limited subset of HTML in their snippets.
• File upload: Users can upload files to the server, e.g., to include pictures in their snippets.
• Web administration: System administrators can manage the system using a web interface.
• New accounts: Users can create their own accounts.
• Template language: Gruyere Template Language(GTL) is a new language that makes writing web pages easy as the templates connect directly to the database. Documentation for GTL can be found in gruyere/gtl.py.
• AJAX: Gruyere uses AJAX to implement refresh on the home and snippets page. You should ignore the AJAX parts of Gruyere except for the challenges that specifically tell you to focus on AJAX.
  • In a real application, refresh would probably happen automatically, but in Gruyere we've made it manual so that you can be in complete control while you are working with it. When you click the refresh link, Gruyere fetches feed.gtl which contains refresh data for the current page and then client-side script uses the browser DOM API (Document Object Model) to insert the new snippets into the page. Since AJAX runs code on the client side, this script is visible to attackers who do not have access to your source code.

Using Gruyere

To familiarize yourself with the features of Gruyere, complete the following tasks:

• View another user's snippets by following the "All snippets" link on the main page. Also check out what they have their Homepage set to.
• Sign up for an account for yourself to use when hacking. Do not use the same password for your Gruyere account as you use for any real service.
• Fill in your account's profile, including a private snippet and an icon that will be displayed by your name.
• Create a snippet (via "New Snippet") containing your favorite joke.
• Upload a file (via "Upload") to your account.

This covers the basic features provided by Gruyere. Now let's break them!

© Google 2017 Terms of Service
The code portions of this codelab are licensed under the Creative Commons Attribution-No Derivative Works 3.0 United States license <https://creativecommons.org/licenses/by-nd/3.0/us>. Brief excerpts of the code may be used for educational or instructional purposes provided this notice is kept intact. Except as otherwise noted the remainder of this codelab is licensed under the Creative Commons Attribution 3.0 United States license <https://creativecommons.org/licenses/by/3.0/us>.