Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Google Security IT

Google Releases a Web-App Case Study For Hackers 95

Hugh Pickens writes "The San Francisco Chronicle reports that Google has released Jarlsberg, a 'small, cheesy' web application specifically designed to be full of bugs and security flaws as a security tutorial for coders, and encourages programmers to try their hands at exploiting weaknesses in Jarlsberg as a way of teaching them how to avoid similar vulnerabilities in their own code. Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The codelab is organized by types of vulnerabilities." (Read on for more.)
"In black box hacking, users try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs. The tutorial notes that accessing or attacking a computer system without authorization is illegal in many jurisdictions but while doing this codelab, users are specifically granted authorization to attack the Jarlsberg application as directed."
This discussion has been archived. No new comments can be posted.

Google Releases a Web-App Case Study For Hackers

Comments Filter:
  • by Jay L ( 74152 ) * <jay+slash&jay,fm> on Wednesday May 05, 2010 @04:54PM (#32104360) Homepage

    The hard part, though, will be keeping up with all the patches for 0-day missing-vulnerabilities.

    • Re: (Score:1, Troll)

      Let me guess, we'll learn:
      - Sanitise input so random commands can't be executed on the server;
      - Don't allow upload of random files such as malformed JPGs which can include executable code;
      - Don't allow upload of HTML snippets which can contain cross-site scripting vulnerabilities;
      - Don't use session ID info which can be copy-pasted elsewhere, especially not corresponding to other people's accounts;
      - Don't do anything Google hasn't thought of, or they'll get pissy. Remember, you're only allowed to be as secu

  • by Anonymous Coward on Wednesday May 05, 2010 @04:59PM (#32104436)

    It's odd to see Google striving to be like Microsoft.

  • Jarlsberg (Score:5, Informative)

    by clone53421 ( 1310749 ) on Wednesday May 05, 2010 @05:02PM (#32104458) Journal

    For those who missed the reference, Jarlsberg [] is a variety of cheese which has large, irregular holes.

  • until Jarlsberg is blocked by all of the major security providers?
  • by Juba ( 790756 ) on Wednesday May 05, 2010 @05:16PM (#32104618)
    The webapp is written in Python.
    • by kuzb ( 724081 )
      ...which is silly, considering it's far from the most popular language for writing web applications.
      • Perhaps the point is that it is not the tool it is how it is used that counts.
        • by kuzb ( 724081 )
          If you're going to teach vulnerabilities and possibly how to exploit them, it's stupid to use a tool that very few people (comparatively speaking) use. The idea here is to show people the problems and give them a means to see the problems in action. Of course, most people will have to learn a new language in order for this to be useful which diminishes the effort.
          • Re: (Score:2, Insightful)

            by lonecrow ( 931585 )
            OK So lets consider the two major attack types: Cross site scripting (XSS) and sql injection SQLi.

            If I am launching a XSS attack against your website I don;t really care what language its scripted in do I? I just try to defeat what ever process your using to sanitize my text.

            For a SQL injection attack I would think the database engine is more important to know than the script that is passing the crappy dynamic sql to it.

            I am not much of a hacker, I just try to defend my sites the best I can. In all
            • The point isn't really for you to attack the site. The point is for people writing web applications to look at this deliberately and openly buggy application and see the similarities to their own code. If they can't easily understand the Jarslberg code then they might not make that connection, thus defeating the whole point of the exercise.

              Most of the things they're demonstrating are obvious and well-known to anyone who actively thinks about security and sanitisation of user-supplied data. So while you can

              • so while you can argue that any good programmer with knowledge of a handful languages would be able to easily understand Python code, it's not really aimed at the good programmers in the first place.

                It's aimed at someone who's familiar enough with programming to be doing web dev and serious enough about writing good code to bother using this app. Those people will have no trouble with python, which really isn't all that hard, especially since the apps source is basically self commenting and really clean. I know almost nothing about web dev, but don't have much trouble following the code (granted, I code in python).

              • Your right in the sense that if you don't speak python you will have trouble with half the value from this site. Half the value is that you can walk through the attacks and understand how they work which has nothing to do with the app source code.

                The other half of the value is being able to walk through the source and see where the programmer could have plugged some holes. I suspect anyone taking the time to use this site will be able to muddle through. And of course everything google does starts in py
            • by kuzb ( 724081 )

              The problem here is once you know something can be done, you need to know the best ways to avoid doing it. Each language has its own pitfalls, and identifying the bad code and how to deal with it is the really important part of this exercise. Basically, knowing there is a problem, and knowing how to fix the problem are different things.

              I'm not trying to say what Google has done is a bad thing - I just think it would have made more sense to cover popular languages. This would have a greater benefit to the

          • Of course, most people will have to learn a new language in order for this to be useful which diminishes the effort.

            It's not like you have to be fluent in a language to understand the code to some degree. There are a lot of concepts in programming that transfer amongst the various languages and it would take no more than a trip to Wikipedia to see how any language works in relation to any other.

    • Perhaps the reasons for choosing Python are
      1) the application runs on Google's App Engine, which supports (only) Python and the Java VM. (So Google saved lots of time reusing their AppEngine machinery.)
      2) Python being an easy to understand language.
  • would be better. I have no trust in being taught security principles by a closed source company whose greatest asset is information about me.

    All the good security texts are by people who are open with their ideas, open with their methods and open with their code.

    • Re: (Score:3, Insightful)

      by Spad ( 470073 )

      ...while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs.

      Those closed [] source [] bastards!

      • Re: (Score:2, Informative)

        Android is built on Linux, which is open source. Google's apps on Android are closed source.
        Chromium is built on WebKit, which is built on KDE's HTML rendering engine, which is open source. Chrome is closed source.

        So even when they're taking great advantage of open source, like Apple, they can't resist making sure the full kaboodle is closed. And these are just just their minor projects.

        Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).

        • However, for both Android and Chrome, you can easily roll your own version without much trouble. Yeah, Google applications are nice on Android, but you can use alternates.

          So even when they're taking great advantage of open source, like Apple, they can't resist making sure the full kaboodle is closed. And these are just just their minor projects.

          However, Google does a lot more to foster openness than Apple. Google doesn't like locked-down Android phones (otherwise why would they release the Nexus One?), Apple however seems to love having a closed platform.

          Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).

          Well of course it is closed. It is more or less a trade secret. If PageRank was open source, Google would be no more. Howev

          • Well of course it is closed. It is more or less a trade secret.

            Yeah, that's everyone's excuse for closed source.

            If PageRank was open source, Google would be no more.

            I didn't realise Google were such a one-trick po.. OK, yes I did. Good! Let them "innovate" in better ways than by hiding their super sekrit algorithms from each other. No wonder there's been so little advance in search quality over the past decade.

            However, unlike closed source programs, it doesn't hinder usability and it works better than competitors.

            Sometimes it does, sometimes it doesn't. There are half a dozen good search engines and, if you're just using Google, you're getting a fairly skewed view of the web. And it certainly hinders usability that others c

            • Yeah, that's everyone's excuse for closed source.

              Then don't use the products? For Christ's sake man your going to have to put up with a mixed eco system, hegemony is not going to be a good thing regardless of whether it's closed or open source.

              There is nothing that says you are entitled to effective search, or entitled to a pointless touchscreen "phone" (sorry they are nothing more than two way radios to me and I can't understand people spending more than 50 bucks on a phone, but that's my problem).

              You can avoid all the closed source stuff in the world

        • Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).

          I didn't know they had promised that. Do you have a link?

      • *yawn* Come back to us when you show us when they've open sourced the adsense/adwords platform, or all their Linux kernel changes they've kept to themselves, or GoogleF, or their PageRank code. You know, things that are actually fundamental to their revenue stream.

  • Obligatory (Score:4, Funny)

    by Yvan256 ( 722131 ) on Wednesday May 05, 2010 @05:20PM (#32104668) Homepage Journal

    Customer: Jarlsberg, perhaps?
    Owner: Ah! We have Jarlsberg, yessir.
    Customer: (suprised) You do! Excellent.
    Owner: Yessir. It's..ah,'s a bit runny...
    Customer: Oh, I like it runny.
    Owner: Well,.. It's very runny, actually, sir.
    Customer: No matter. Fetch hither the cheese of Norway! Mmmwah!
    Owner: I...think it's a bit runnier than you'll like it, sir.
    Customer: I don't care how fucking runny it is. Hand it over with all speed.
    Owner: Oooooooooohhh........! (pause)
    Customer: What now?
    Owner: The cat's eaten it.
    Customer: (pause) Has he.
    Owner: She, sir.

    • by dangitman ( 862676 ) on Wednesday May 05, 2010 @05:31PM (#32104784)

      Cheese is a kind of meat
      A tasty yellow beef
      I milk it from my teat
      But I try to be discreet
      Ooh, cheese.
      Ooh, cheese.

    • Well cited, Mostly. Although the particular part you cite is actually the "Camembert" portion of the skit.

      However, the names of the customer (Mousebender) and the proprietor (Wensleydale) are known []. As, apparently, all the cheeses [] named in the sketch.

      Which, if you think about it, says as much about Wikipedia as it does about Monty Python or the Jarlsberg web app.

  • i followed the link and ended up at Really funny Google... reallly funny.

  • Should Slashdot really be throwing stones?

  • Web Goat (Score:4, Informative)

    by dhadley519 ( 876667 ) * on Wednesday May 05, 2010 @06:17PM (#32105266)
    Interested parties should also be aware of web goat by the owasp team. []
  • Is this another Google talent scout tool like their billboard of a few years ago ? Find the hidden easter egg and you're given a phone number at Google HR to call...
    • That was barely a challenge - probably more to gauge how many people were paying attention. GCHQ put out some interesting challenges from time to time (not all of which are still on their site, so look further if you're searching).

  • AppEngine will start a new instance of Jarlsberg for you, assign it a unique id ... [] (where 123 is your unique id). If you want to share your instance of Jarlsberg, just share the full URL with them including your unique id. is possible to put your Jarlsberg instance into a state where it is completely unusable. If that happens, you can push a magic "reset button" to wipe out all the data in your instance and start from scratch. To do this, visit this URL with your in

  • by justinnf ( 1799382 ) on Wednesday May 05, 2010 @11:58PM (#32107884)
    is that they generally don't know wtf they're talking about; I only looked at the part on buffer/integer related overflows; where they take the moment to not only give me flat out wrong advice, but also see fit to try and propagandize me:

    "This codelab doesn't cover overflow vulnerabilities because Jarlsberg is written in Python, and therefore not vulnerable to typical buffer and integer overflow problems. Python won't allow you to read or write outside the bounds of an array and integers can't overflow. While C and C++ programs are most commonly known to expose these vulnerabilities, other languages are not immune. For example, while Java was designed to prevent buffer overflows, it silently ignores integer overflow. "

    The thing is google of all organizations, and specifically appspot should know better. I mean, I [] already [] told [] them []. I mean seriously, look at this [].

    Of particular interest is: [] ... reported: 2008-04-11 22:35:37 bug closed: ?????

    Just stop with this incessant bullshit 'lol hey my program-by-number language of choice doesnt have memory corruption security issues@#@!#'. It's all assembly at the end, and the processor does whatever you tell it, so everything has this problem. I thought this would be clear from my work, Dowd's actionscript work, nemo's obj-c work, ilja's pascal work, brezinski & mcdonalds ruby work, et cetera.

    In short, when you try to talk about things you don't know, especially in the realm of security; you do more harm than good.
    • by soma ( 20246 )

      You're being unfair to the Jarlsberg developers. "not vulnerable to typical buffer and integer overflow problems" is not the same as not vulnerable to *any* such problems. I agree they could be more specific, but it is true that you can't just run off the end of an array in Python like you can in C.

      The bug report you refer to is about a flaw in the Python runtime environment, which is in fact a C program, and so is vulnerable to all the same problems as other C programs. To exploit this you have to give

  • []/saveprofile?action=new&uid=lol&pw=cats&is_author=True&is_admin=True *sigh*, I was expecting more of a challenge from the big G.
  • For The Cheese!
  • What a perfect way to prove just how fundamentally broken the technologies of the web are. Content, arguments, scripts,'s all just one big mess. I got to the point about hosting content on separate domains to avoid some XSS attacks and thought: when the security *fixes* look like kludges, something is very, very wrong.

  • []

  • Not sure why this is making headlines, Microsoft has been doing this for years.

Each honest calling, each walk of life, has its own elite, its own aristocracy based on excellence of performance. -- James Bryant Conant