Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Releases a Web-App Case Study For Hackers

Posted by timothy on from the just-this-once dept.

Hugh Pickens writes "The San Francisco Chronicle reports that Google has released Jarlsberg, a 'small, cheesy' web application specifically designed to be full of bugs and security flaws as a security tutorial for coders, and encourages programmers to try their hands at exploiting weaknesses in Jarlsberg as a way of teaching them how to avoid similar vulnerabilities in their own code. Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The codelab is organized by types of vulnerabilities." (Read on for more.) "In black box hacking, users try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs. The tutorial notes that accessing or attacking a computer system without authorization is illegal in many jurisdictions but while doing this codelab, users are specifically granted authorization to attack the Jarlsberg application as directed."

12 of 95 comments (clear)

  1. That's brilliant by Jay+L · · Score: 3, Funny

    The hard part, though, will be keeping up with all the patches for 0-day missing-vulnerabilities.

    1. Re:That's brilliant by networkBoy · · Score: 3, Interesting

      Five bucks says we start seeing this code in copy-paste applications soon because people too lazy to write and understand the code they're producing are also to lazy to look where the code came from...

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    2. Re:That's brilliant by fractoid · · Score: 3, Funny

      Five bucks says we start seeing this code in copy-paste applications soon because people too lazy to write and understand the code they're producing are also to lazy to look where the code came from...

      I hate you for how plausible that sounds.

      --
      Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
  2. Try Jarlsberg, the newest app from Google... by Anonymous Coward · · Score: 4, Funny

    It's odd to see Google striving to be like Microsoft.

  3. Jarlsberg by clone53421 · · Score: 5, Informative

    For those who missed the reference, Jarlsberg is a variety of cheese which has large, irregular holes.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  4. For those who may ask... by Juba · · Score: 4, Funny

    The webapp is written in Python.

  5. Obligatory by Yvan256 · · Score: 3, Funny

    Customer: Jarlsberg, perhaps?
    Owner: Ah! We have Jarlsberg, yessir.
    Customer: (suprised) You do! Excellent.
    Owner: Yessir. It's..ah,.....it's a bit runny...
    Customer: Oh, I like it runny.
    Owner: Well,.. It's very runny, actually, sir.
    Customer: No matter. Fetch hither the cheese of Norway! Mmmwah!
    Owner: I...think it's a bit runnier than you'll like it, sir.
    Customer: I don't care how fucking runny it is. Hand it over with all speed.
    Owner: Oooooooooohhh........! (pause)
    Customer: What now?
    Owner: The cat's eaten it.
    Customer: (pause) Has he.
    Owner: She, sir.

  6. Ooh, cheese! by dangitman · · Score: 3, Funny

    Cheese is a kind of meat
    A tasty yellow beef
    I milk it from my teat
    But I try to be discreet
    Ooh, cheese.
    Ooh, cheese.

    --
    ... and then they built the supercollider.
  7. HackThisSite by brainfsck · · Score: 3, Informative

    I had fun messing around on the site. If you're interested in this sort of thing, HackThisSite.org has about a dozen similar "Realistic Missions" as well as forums and many other types of security-related challenges.

  8. Web Goat by dhadley519 · · Score: 4, Informative

    Interested parties should also be aware of web goat by the owasp team. http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

    1. Re:Web Goat by halcyon1234 · · Score: 5, Funny

      Yeah-- as a rule of thumb, I don't follow any link on Slashdot that matches /^.*goat.*$/i

      --
      UTF-8: There and Back Again
  9. the problem with learning insecurity from web-devs by justinnf · · Score: 3, Interesting

    is that they generally don't know wtf they're talking about; I only looked at the part on buffer/integer related overflows; where they take the moment to not only give me flat out wrong advice, but also see fit to try and propagandize me:

    "This codelab doesn't cover overflow vulnerabilities because Jarlsberg is written in Python, and therefore not vulnerable to typical buffer and integer overflow problems. Python won't allow you to read or write outside the bounds of an array and integers can't overflow. While C and C++ programs are most commonly known to expose these vulnerabilities, other languages are not immune. For example, while Java was designed to prevent buffer overflows, it silently ignores integer overflow. "

    The thing is google of all organizations, and specifically appspot should know better. I mean, I already told them. I mean seriously, look at this.

    Of particular interest is: http://bugs.python.org/issue2620 ... reported: 2008-04-11 22:35:37 bug closed: ?????

    Just stop with this incessant bullshit 'lol hey my program-by-number language of choice doesnt have memory corruption security issues@#@!#'. It's all assembly at the end, and the processor does whatever you tell it, so everything has this problem. I thought this would be clear from my work, Dowd's actionscript work, nemo's obj-c work, ilja's pascal work, brezinski & mcdonalds ruby work, et cetera.

    In short, when you try to talk about things you don't know, especially in the realm of security; you do more harm than good.