Google Releases a Web-App Case Study For Hackers

← Back to Stories (view on slashdot.org)

Google Releases a Web-App Case Study For Hackers

Posted by timothy on Wednesday May 5, 2010 @08:49AM from the just-this-once dept.

Hugh Pickens writes "The San Francisco Chronicle reports that Google has released Jarlsberg, a 'small, cheesy' web application specifically designed to be full of bugs and security flaws as a security tutorial for coders, and encourages programmers to try their hands at exploiting weaknesses in Jarlsberg as a way of teaching them how to avoid similar vulnerabilities in their own code. Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The codelab is organized by types of vulnerabilities." (Read on for more.) "In black box hacking, users try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs. The tutorial notes that accessing or attacking a computer system without authorization is illegal in many jurisdictions but while doing this codelab, users are specifically granted authorization to attack the Jarlsberg application as directed."

61 of 95 comments (clear)

Min score:

Reason:

Sort:

That's brilliant by Jay+L · 2010-05-05 08:54 · Score: 3, Funny

The hard part, though, will be keeping up with all the patches for 0-day missing-vulnerabilities.
1. Re:That's brilliant by networkBoy · 2010-05-05 09:31 · Score: 3, Interesting
  
  Five bucks says we start seeing this code in copy-paste applications soon because people too lazy to write and understand the code they're producing are also to lazy to look where the code came from...
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
2. Re:That's brilliant by calmofthestorm · 2010-05-05 10:32 · Score: 1
  
  I suspect that Google has this so sandboxed to hell they don't give a fuck what you do to it. VM inside a VM inside a VM inside a VM rebooting and losing state every 5 minutes sounds about right. Also alternate between linux and windows in the VMs, and make sure to run Norton antivirus on all hte Windows ones.
  For optimal security, randomly vary the VM recursion depth so attackers can't figure it out.
  
  --
  93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
3. Re:That's brilliant by NatasRevol · 2010-05-05 10:52 · Score: 1
  
  Norton would slow the VMs down too much....
  
  --
  There are two types of people in the world: Those who crave closure
4. Re:That's brilliant by calmofthestorm · 2010-05-05 10:58 · Score: 1
  
  Good point, we can replace it with a busy waiting process that also thrashes disk, only just a little bet less. Save RAM too.
  
  --
  93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
5. Re:That's brilliant by fractoid · 2010-05-05 16:50 · Score: 3, Funny
  
  Five bucks says we start seeing this code in copy-paste applications soon because people too lazy to write and understand the code they're producing are also to lazy to look where the code came from...
  I hate you for how plausible that sounds.
  
  --
  Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
6. Re:That's brilliant by networkBoy · 2010-05-06 02:02 · Score: 1, Funny
  
  that's what I'm here for ;)
  
  --
  whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Try Jarlsberg, the newest app from Google... by Anonymous Coward · 2010-05-05 08:59 · Score: 4, Funny

It's odd to see Google striving to be like Microsoft.
Re:" designed to be full of bugs and security flaw by pwnies · 2010-05-05 09:02 · Score: 1

...yes?
Jarlsberg by clone53421 · 2010-05-05 09:02 · Score: 5, Informative

For those who missed the reference, Jarlsberg is a variety of cheese which has large, irregular holes.

--
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
1. Re:Jarlsberg by WrongSizeGlass · 2010-05-05 09:43 · Score: 1
  
  But is it as cheesy as the Moon?
2. Re:Jarlsberg by Jarlsberg · 2010-05-05 16:35 · Score: 2, Funny
  
  Everybody loves Jarlsberg. Especially me.
Re:How is that news? by Weazol · 2010-05-05 09:16 · Score: 1

pwned. It is a great idea however it is lacking an achievement system.
For those who may ask... by Juba · 2010-05-05 09:16 · Score: 4, Funny

The webapp is written in Python.
1. Re:For those who may ask... by kuzb · 2010-05-05 11:40 · Score: 1
  
  ...which is silly, considering it's far from the most popular language for writing web applications.
  
  --
  BeauHD. Worst editor since kdawson.
2. Re:For those who may ask... by lonecrow · 2010-05-05 15:05 · Score: 1
  
  Perhaps the point is that it is not the tool it is how it is used that counts.
3. Re:For those who may ask... by kuzb · 2010-05-05 15:32 · Score: 1
  
  If you're going to teach vulnerabilities and possibly how to exploit them, it's stupid to use a tool that very few people (comparatively speaking) use. The idea here is to show people the problems and give them a means to see the problems in action. Of course, most people will have to learn a new language in order for this to be useful which diminishes the effort.
  
  --
  BeauHD. Worst editor since kdawson.
4. Re:For those who may ask... by lonecrow · 2010-05-05 17:12 · Score: 2, Insightful
  
  OK So lets consider the two major attack types: Cross site scripting (XSS) and sql injection SQLi.
  
  If I am launching a XSS attack against your website I don;t really care what language its scripted in do I? I just try to defeat what ever process your using to sanitize my text.
  
  For a SQL injection attack I would think the database engine is more important to know than the script that is passing the crappy dynamic sql to it.
  
  I am not much of a hacker, I just try to defend my sites the best I can. In all my research very little is language specific.
5. Re:For those who may ask... by totally+bogus+dude · 2010-05-05 17:45 · Score: 1
  
  The point isn't really for you to attack the site. The point is for people writing web applications to look at this deliberately and openly buggy application and see the similarities to their own code. If they can't easily understand the Jarslberg code then they might not make that connection, thus defeating the whole point of the exercise.
  Most of the things they're demonstrating are obvious and well-known to anyone who actively thinks about security and sanitisation of user-supplied data. So while you can argue that any good programmer with knowledge of a handful languages would be able to easily understand Python code, it's not really aimed at the good programmers in the first place.
6. Re:For those who may ask... by lonecrow · 2010-05-05 19:00 · Score: 1
  
  Your right in the sense that if you don't speak python you will have trouble with half the value from this site. Half the value is that you can walk through the attacks and understand how they work which has nothing to do with the app source code.
  
  The other half of the value is being able to walk through the source and see where the programmer could have plugged some holes. I suspect anyone taking the time to use this site will be able to muddle through. And of course everything google does starts in python then later they maybe add java. I would love to use app engine but I am not strong enough in java yet. (do they even support java on app engie?)
  
  There are other pen test websites like this. You can download hacme bank its in vb.net I think. http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
7. Re:For those who may ask... by negRo_slim · 2010-05-06 05:24 · Score: 1
  
  Of course, most people will have to learn a new language in order for this to be useful which diminishes the effort.
  It's not like you have to be fluent in a language to understand the code to some degree. There are a lot of concepts in programming that transfer amongst the various languages and it would take no more than a trip to Wikipedia to see how any language works in relation to any other.
  
  --
  On the Oregon Cost born and raised, On the beach is where I spent most of my days
8. Re:For those who may ask... by kuzb · 2010-05-06 07:36 · Score: 1
  
  The problem here is once you know something can be done, you need to know the best ways to avoid doing it. Each language has its own pitfalls, and identifying the bad code and how to deal with it is the really important part of this exercise. Basically, knowing there is a problem, and knowing how to fix the problem are different things.
  I'm not trying to say what Google has done is a bad thing - I just think it would have made more sense to cover popular languages. This would have a greater benefit to the world.
  
  --
  BeauHD. Worst editor since kdawson.
Obligatory by Yvan256 · 2010-05-05 09:20 · Score: 3, Funny

Customer: Jarlsberg, perhaps?
Owner: Ah! We have Jarlsberg, yessir.
Customer: (suprised) You do! Excellent.
Owner: Yessir. It's..ah,.....it's a bit runny...
Customer: Oh, I like it runny.
Owner: Well,.. It's very runny, actually, sir.
Customer: No matter. Fetch hither the cheese of Norway! Mmmwah!
Owner: I...think it's a bit runnier than you'll like it, sir.
Customer: I don't care how fucking runny it is. Hand it over with all speed.
Owner: Oooooooooohhh........! (pause)
Customer: What now?
Owner: The cat's eaten it.
Customer: (pause) Has he.
Owner: She, sir.
1. Re:Obligatory by idontgno · 2010-05-05 10:02 · Score: 1
  
  Well cited, Mostly. Although the particular part you cite is actually the "Camembert" portion of the skit.
  However, the names of the customer (Mousebender) and the proprietor (Wensleydale) are known. As, apparently, all the cheeses named in the sketch.
  Which, if you think about it, says as much about Wikipedia as it does about Monty Python or the Jarlsberg web app.
  
  --
  Welcome to the Panopticon. Used to be a prison, now it's your home.
Re:a tutorial from China by Spad · 2010-05-05 09:20 · Score: 2, Insightful

...while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs.
Those closed source bastards!
This is a joke. by MyLongNickName · 2010-05-05 09:21 · Score: 1

i followed the link and ended up at microsoft.com. Really funny Google... reallly funny.

--
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
1. Re:This is a joke. by Bat+Country · 2010-05-06 06:44 · Score: 1
  
  Meth: not even once.
  
  --
  The land shall stone them with the bread of his son.
Cheesy web-app full of bugs by MyLongNickName · 2010-05-05 09:24 · Score: 1

Should Slashdot really be throwing stones?

--
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
Re:a tutorial from China by FuckingNickName · 2010-05-05 09:26 · Score: 1, Informative

Android is built on Linux, which is open source. Google's apps on Android are closed source.
Chromium is built on WebKit, which is built on KDE's HTML rendering engine, which is open source. Chrome is closed source.
So even when they're taking great advantage of open source, like Apple, they can't resist making sure the full kaboodle is closed. And these are just just their minor projects.
Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).
Re:a tutorial from China by Lunix+Nutcase · 2010-05-05 09:30 · Score: 1

*yawn* Come back to us when you show us when they've open sourced the adsense/adwords platform, or all their Linux kernel changes they've kept to themselves, or GoogleF, or their PageRank code. You know, things that are actually fundamental to their revenue stream.
Ooh, cheese! by dangitman · 2010-05-05 09:31 · Score: 3, Funny

Cheese is a kind of meat
A tasty yellow beef
I milk it from my teat
But I try to be discreet
Ooh, cheese.
Ooh, cheese.

--
... and then they built the supercollider.
Re:a tutorial from China by Darkness404 · 2010-05-05 09:39 · Score: 1

However, for both Android and Chrome, you can easily roll your own version without much trouble. Yeah, Google applications are nice on Android, but you can use alternates.

So even when they're taking great advantage of open source, like Apple, they can't resist making sure the full kaboodle is closed. And these are just just their minor projects.

However, Google does a lot more to foster openness than Apple. Google doesn't like locked-down Android phones (otherwise why would they release the Nexus One?), Apple however seems to love having a closed platform.

Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).

Well of course it is closed. It is more or less a trade secret. If PageRank was open source, Google would be no more. However, unlike closed source programs, it doesn't hinder usability and it works better than competitors.

--
Taxation is legalized theft, no more, no less.
HackThisSite by brainfsck · 2010-05-05 09:50 · Score: 3, Informative

I had fun messing around on the site. If you're interested in this sort of thing, HackThisSite.org has about a dozen similar "Realistic Missions" as well as forums and many other types of security-related challenges.
Re:Carte blanche to hack Google? by ceejayoz · 2010-05-05 10:01 · Score: 1

Oh, bullshit. By that logic, a speed limit sign in one location would invalidate speeding tickets for all other locations.
Re:a tutorial from China by FuckingNickName · 2010-05-05 10:05 · Score: 1

Well of course it is closed. It is more or less a trade secret.
Yeah, that's everyone's excuse for closed source.

If PageRank was open source, Google would be no more.
I didn't realise Google were such a one-trick po.. OK, yes I did. Good! Let them "innovate" in better ways than by hiding their super sekrit algorithms from each other. No wonder there's been so little advance in search quality over the past decade.

However, unlike closed source programs, it doesn't hinder usability and it works better than competitors.
Sometimes it does, sometimes it doesn't. There are half a dozen good search engines and, if you're just using Google, you're getting a fairly skewed view of the web. And it certainly hinders usability that others can't improve PageRank!
Re:a tutorial from China by FuckingNickName · 2010-05-05 10:10 · Score: 1

Almost all the code I've deployed since 2001 is or has been (in cases where it's way too outdated to be usable) available publicly. I shan't link to it, because it'd link my real identity to my /. account - I value privacy, even though most of today's 'net users don't.
The first and only office-y job I had before that, before self-employment, guarded its code jealously. While I went some small way to opening things up, they weren't that interested. Since then I've been able to fully form and stick to principle.
Try again.
Web Goat by dhadley519 · 2010-05-05 10:17 · Score: 4, Informative

Interested parties should also be aware of web goat by the owasp team. http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
1. Re:Web Goat by halcyon1234 · 2010-05-05 14:06 · Score: 5, Funny
  
  Yeah-- as a rule of thumb, I don't follow any link on Slashdot that matches /^.*goat.*$/i
  
  --
  UTF-8: There and Back Again
2. Re:Web Goat by Kesch · 2010-05-05 14:34 · Score: 1
  
  I hear it features some pretty impressive holes.
  
  --
  If this signature is witty enough, maybe somebody will like me.
Subliminal Job Application by everweb · 2010-05-05 10:24 · Score: 1

Is this another Google talent scout tool like their billboard of a few years ago ? Find the hidden easter egg and you're given a phone number at Google HR to call...
1. Re:Subliminal Job Application by FuckingNickName · 2010-05-05 10:46 · Score: 1
  
  That was barely a challenge - probably more to gauge how many people were paying attention. GCHQ put out some interesting challenges from time to time (not all of which are still on their site, so look further if you're searching).
Is this software... by fotoguzzi · 2010-05-05 10:27 · Score: 1

...Beta?

--
Their they're doing there hair.
Fine print in the last line... by Hylandr · 2010-05-05 10:43 · Score: 1

"As Directed"...

--
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Re:a tutorial from China by Bromskloss · 2010-05-05 11:06 · Score: 1

Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).
I didn't know they had promised that. Do you have a link?

--
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
Re:a tutorial from China by Lunix+Nutcase · 2010-05-05 11:30 · Score: 1

Oooh ice burn! The fact of the matter is that Google is not an open source company. No one would accept people claiming that Microsoft is an open source company by pointing out how they have open sourced the ASP.NET MVC framework. Just because Google has open sourced some pet projects that have little to no bearing on their revenue stream doesn't make them an open source company.
Re:a tutorial from China by Capt.+Skinny · 2010-05-05 13:48 · Score: 1

It's one thing to promote open source (I think it's great myself), but I'll never understand disdain for closed source. If someone wants to spend their time or money producing code, what they do with it is up to them. If you don't like it, don't use it -- but at least respect the freedom of choice of the person or organization that wrote it.
Griefers, unite by halcyon1234 · 2010-05-05 14:17 · Score: 1

AppEngine will start a new instance of Jarlsberg for you, assign it a unique id ... http://jarlsberg.appspot.com/123/ (where 123 is your unique id). If you want to share your instance of Jarlsberg, just share the full URL with them including your unique id.
...it is possible to put your Jarlsberg instance into a state where it is completely unusable. If that happens, you can push a magic "reset button" to wipe out all the data in your instance and start from scratch. To do this, visit this URL with your instance id: http://jarlsberg.appspot.com/resetbutton/123

I think I've spotted a vulnerability:

$griefingIsFun = 0; while (1) get("http://jarlsberg.appspot.com/resetbutton/" . $griefingIsFun++);

--
UTF-8: There and Back Again
1. Re:Griefers, unite by Vroo · 2010-05-05 17:14 · Score: 1
  
  There's a captcha there.
the problem with learning insecurity from web-devs by justinnf · 2010-05-05 15:58 · Score: 3, Interesting

is that they generally don't know wtf they're talking about; I only looked at the part on buffer/integer related overflows; where they take the moment to not only give me flat out wrong advice, but also see fit to try and propagandize me:

"This codelab doesn't cover overflow vulnerabilities because Jarlsberg is written in Python, and therefore not vulnerable to typical buffer and integer overflow problems. Python won't allow you to read or write outside the bounds of an array and integers can't overflow. While C and C++ programs are most commonly known to expose these vulnerabilities, other languages are not immune. For example, while Java was designed to prevent buffer overflows, it silently ignores integer overflow. "

The thing is google of all organizations, and specifically appspot should know better. I mean, I already told them. I mean seriously, look at this.

Of particular interest is: http://bugs.python.org/issue2620 ... reported: 2008-04-11 22:35:37 bug closed: ?????

Just stop with this incessant bullshit 'lol hey my program-by-number language of choice doesnt have memory corruption security issues@#@!#'. It's all assembly at the end, and the processor does whatever you tell it, so everything has this problem. I thought this would be clear from my work, Dowd's actionscript work, nemo's obj-c work, ilja's pascal work, brezinski & mcdonalds ruby work, et cetera.

In short, when you try to talk about things you don't know, especially in the realm of security; you do more harm than good.
Re:" designed to be full of bugs and security flaw by fractoid · 2010-05-05 16:51 · Score: 1

NI!

--
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
it's python by story645 · 2010-05-05 18:09 · Score: 1

so while you can argue that any good programmer with knowledge of a handful languages would be able to easily understand Python code, it's not really aimed at the good programmers in the first place.
It's aimed at someone who's familiar enough with programming to be doing web dev and serious enough about writing good code to bother using this app. Those people will have no trouble with python, which really isn't all that hard, especially since the apps source is basically self commenting and really clean. I know almost nothing about web dev, but don't have much trouble following the code (granted, I code in python).

--
open source modern art: laser taggi
done by ViralInfection · 2010-05-05 18:34 · Score: 1

http://jarlsberg.appspot.com//saveprofile?action=new&uid=lol&pw=cats&is_author=True&is_admin=True *sigh*, I was expecting more of a challenge from the big G.
Jarlsberg by GlobalColding · 2010-05-05 19:01 · Score: 1, Funny

For The Cheese!
What a perfect way to prove.... by npcole · 2010-05-05 19:14 · Score: 1

What a perfect way to prove just how fundamentally broken the technologies of the web are. Content, arguments, scripts, user-data....it's all just one big mess. I got to the point about hosting content on separate domains to avoid some XSS attacks and thought: when the security *fixes* look like kludges, something is very, very wrong.
Debug by MortenMW · 2010-05-05 19:49 · Score: 1

http://jarlsberg.appspot.com/your_id/dump.jtl

Admin:secret
brie:briebrie
cheddar:orange
sardo:odras
Re:a tutorial from China by FuckingNickName · 2010-05-05 20:45 · Score: 1

I don't "respect" Google, and the only reason I wouldn't use their code commercially (with correct attribution) if I found it lying in the middle of the road is that I might face legal problems. If you don't want an idea shared, don't tell it to anyone, and I'll respect your right not to be tortured or otherwise forced to reveal it. Otherwise respect my freedom of choice to speak what I know.
But you're strawmanning, because my argument was simply to never trust a security lesson from an outfit like Google. Since my previous posts, I've gone through it, and it turns out the tutorial is so basic and rendered redundant by many far more in-depth security challenges on the web.
This isn't anything new by ioexcept · 2010-05-05 23:58 · Score: 1

Not sure why this is making headlines, Microsoft has been doing this for years.
Re:the problem with learning insecurity from web-d by soma · 2010-05-06 04:25 · Score: 1

You're being unfair to the Jarlsberg developers. "not vulnerable to typical buffer and integer overflow problems" is not the same as not vulnerable to *any* such problems. I agree they could be more specific, but it is true that you can't just run off the end of an array in Python like you can in C.
The bug report you refer to is about a flaw in the Python runtime environment, which is in fact a C program, and so is vulnerable to all the same problems as other C programs. To exploit this you have to give Python weird input. To corrupt memory in C, however, you just use regular language features, e.g., increment a pointer.
But anyway, spending your time looking for buffer and integer overflows in web applications is like looking to fix holes in the walls of a house where a tree has destroyed the roof - there are much bigger problems to worry about. Jarlsberg and WebGoat nicely illustrate this.
Re:a tutorial from China by FuckingNickName · 2010-05-06 05:23 · Score: 1

What does open/closed source have to do with this?
Yes, why not trust the motives of people who keep everything a secret?

Everyone has to start somewhere.
Absolutely. But a little learning is a dangerous thing where security is concerned - by the writers too, it seems, since they come out with stuff like Python implying imperviousness to buffer overflows (another commenter has covered this well in the posts he links to).
I'd have let them get away with it if they'd chosen a more honestly self-deprecating title. How about, "Brief introduction to inherent problems with the HTML application model we're obsessed with, and necessary workarounds"?
Re:a tutorial from China by negRo_slim · 2010-05-06 05:30 · Score: 1

Yeah, that's everyone's excuse for closed source.
Then don't use the products? For Christ's sake man your going to have to put up with a mixed eco system, hegemony is not going to be a good thing regardless of whether it's closed or open source.

There is nothing that says you are entitled to effective search, or entitled to a pointless touchscreen "phone" (sorry they are nothing more than two way radios to me and I can't understand people spending more than 50 bucks on a phone, but that's my problem).

You can avoid all the closed source stuff in the world and shut that trap of yours, no one is stopping you.

--
On the Oregon Cost born and raised, On the beach is where I spent most of my days
Reasons for Python by LeoMaheo · 2010-05-08 22:12 · Score: 1

Perhaps the reasons for choosing Python are
1) the application runs on Google's App Engine, which supports (only) Python and the Java VM. (So Google saved lots of time reusing their AppEngine machinery.)
2) Python being an easy to understand language.