Google Releases a Web-App Case Study For Hackers 95
Hugh Pickens writes "The San Francisco Chronicle reports that Google has released Jarlsberg, a 'small, cheesy' web application specifically designed to be full of bugs and security flaws as a security tutorial for coders, and encourages programmers to try their hands at exploiting weaknesses in Jarlsberg as a way of teaching them how to avoid similar vulnerabilities in their own code. Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The codelab is organized by types of vulnerabilities." (Read on for more.)
"In black box hacking, users try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs. The tutorial notes that accessing or attacking a computer system without authorization is illegal in many jurisdictions but while doing this codelab, users are specifically granted authorization to attack the Jarlsberg application as directed."
HackThisSite (Score:3, Informative)
That's brilliant (Score:4, Funny)
The hard part, though, will be keeping up with all the patches for 0-day missing-vulnerabilities.
Re: (Score:1, Troll)
Let me guess, we'll learn:
- Sanitise input so random commands can't be executed on the server;
- Don't allow upload of random files such as malformed JPGs which can include executable code;
- Don't allow upload of HTML snippets which can contain cross-site scripting vulnerabilities;
- Don't use session ID info which can be copy-pasted elsewhere, especially not corresponding to other people's accounts;
- Don't do anything Google hasn't thought of, or they'll get pissy. Remember, you're only allowed to be as secu
Re:That's brilliant (Score:4, Interesting)
Five bucks says we start seeing this code in copy-paste applications soon because people too lazy to write and understand the code they're producing are also to lazy to look where the code came from...
Re:That's brilliant (Score:4, Funny)
Five bucks says we start seeing this code in copy-paste applications soon because people too lazy to write and understand the code they're producing are also to lazy to look where the code came from...
I hate you for how plausible that sounds.
Re: (Score:2, Funny)
that's what I'm here for ;)
Re: (Score:2)
I suspect that Google has this so sandboxed to hell they don't give a fuck what you do to it. VM inside a VM inside a VM inside a VM rebooting and losing state every 5 minutes sounds about right. Also alternate between linux and windows in the VMs, and make sure to run Norton antivirus on all hte Windows ones.
For optimal security, randomly vary the VM recursion depth so attackers can't figure it out.
Re: (Score:2)
Norton would slow the VMs down too much....
Re: (Score:2)
Good point, we can replace it with a busy waiting process that also thrashes disk, only just a little bet less. Save RAM too.
Try Jarlsberg, the newest app from Google... (Score:4, Funny)
It's odd to see Google striving to be like Microsoft.
Re: (Score:2)
Re: (Score:2)
Jarlsberg (Score:5, Informative)
For those who missed the reference, Jarlsberg [wikipedia.org] is a variety of cheese which has large, irregular holes.
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:1)
How long... (Score:1)
For those who may ask... (Score:4, Funny)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2, Insightful)
If I am launching a XSS attack against your website I don;t really care what language its scripted in do I? I just try to defeat what ever process your using to sanitize my text.
For a SQL injection attack I would think the database engine is more important to know than the script that is passing the crappy dynamic sql to it.
I am not much of a hacker, I just try to defend my sites the best I can. In all
Re: (Score:2)
The point isn't really for you to attack the site. The point is for people writing web applications to look at this deliberately and openly buggy application and see the similarities to their own code. If they can't easily understand the Jarslberg code then they might not make that connection, thus defeating the whole point of the exercise.
Most of the things they're demonstrating are obvious and well-known to anyone who actively thinks about security and sanitisation of user-supplied data. So while you can
it's python (Score:2)
so while you can argue that any good programmer with knowledge of a handful languages would be able to easily understand Python code, it's not really aimed at the good programmers in the first place.
It's aimed at someone who's familiar enough with programming to be doing web dev and serious enough about writing good code to bother using this app. Those people will have no trouble with python, which really isn't all that hard, especially since the apps source is basically self commenting and really clean. I know almost nothing about web dev, but don't have much trouble following the code (granted, I code in python).
Re: (Score:1)
The other half of the value is being able to walk through the source and see where the programmer could have plugged some holes. I suspect anyone taking the time to use this site will be able to muddle through. And of course everything google does starts in py
Re: (Score:2)
The problem here is once you know something can be done, you need to know the best ways to avoid doing it. Each language has its own pitfalls, and identifying the bad code and how to deal with it is the really important part of this exercise. Basically, knowing there is a problem, and knowing how to fix the problem are different things.
I'm not trying to say what Google has done is a bad thing - I just think it would have made more sense to cover popular languages. This would have a greater benefit to the
Re: (Score:2)
Of course, most people will have to learn a new language in order for this to be useful which diminishes the effort.
It's not like you have to be fluent in a language to understand the code to some degree. There are a lot of concepts in programming that transfer amongst the various languages and it would take no more than a trip to Wikipedia to see how any language works in relation to any other.
Reasons for Python (Score:1)
1) the application runs on Google's App Engine, which supports (only) Python and the Java VM. (So Google saved lots of time reusing their AppEngine machinery.)
2) Python being an easy to understand language.
a tutorial from China (Score:1, Flamebait)
would be better. I have no trust in being taught security principles by a closed source company whose greatest asset is information about me.
All the good security texts are by people who are open with their ideas, open with their methods and open with their code.
Re: (Score:3, Insightful)
...while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs.
Those closed [google.com] source [android.com] bastards!
Re: (Score:2, Informative)
Android is built on Linux, which is open source. Google's apps on Android are closed source.
Chromium is built on WebKit, which is built on KDE's HTML rendering engine, which is open source. Chrome is closed source.
So even when they're taking great advantage of open source, like Apple, they can't resist making sure the full kaboodle is closed. And these are just just their minor projects.
Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).
Re: (Score:2)
So even when they're taking great advantage of open source, like Apple, they can't resist making sure the full kaboodle is closed. And these are just just their minor projects.
However, Google does a lot more to foster openness than Apple. Google doesn't like locked-down Android phones (otherwise why would they release the Nexus One?), Apple however seems to love having a closed platform.
Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).
Well of course it is closed. It is more or less a trade secret. If PageRank was open source, Google would be no more. Howev
Re: (Score:2)
Well of course it is closed. It is more or less a trade secret.
Yeah, that's everyone's excuse for closed source.
If PageRank was open source, Google would be no more.
I didn't realise Google were such a one-trick po.. OK, yes I did. Good! Let them "innovate" in better ways than by hiding their super sekrit algorithms from each other. No wonder there's been so little advance in search quality over the past decade.
However, unlike closed source programs, it doesn't hinder usability and it works better than competitors.
Sometimes it does, sometimes it doesn't. There are half a dozen good search engines and, if you're just using Google, you're getting a fairly skewed view of the web. And it certainly hinders usability that others c
Re: (Score:2)
Yeah, that's everyone's excuse for closed source.
Then don't use the products? For Christ's sake man your going to have to put up with a mixed eco system, hegemony is not going to be a good thing regardless of whether it's closed or open source.
There is nothing that says you are entitled to effective search, or entitled to a pointless touchscreen "phone" (sorry they are nothing more than two way radios to me and I can't understand people spending more than 50 bucks on a phone, but that's my problem).
You can avoid all the closed source stuff in the world
Re: (Score:2)
Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).
I didn't know they had promised that. Do you have a link?
Re: (Score:2)
*yawn* Come back to us when you show us when they've open sourced the adsense/adwords platform, or all their Linux kernel changes they've kept to themselves, or GoogleF, or their PageRank code. You know, things that are actually fundamental to their revenue stream.
Re: (Score:2)
Almost all the code I've deployed since 2001 is or has been (in cases where it's way too outdated to be usable) available publicly. I shan't link to it, because it'd link my real identity to my /. account - I value privacy, even though most of today's 'net users don't.
The first and only office-y job I had before that, before self-employment, guarded its code jealously. While I went some small way to opening things up, they weren't that interested. Since then I've been able to fully form and stick to princip
Re: (Score:1)
Re: (Score:2)
I don't "respect" Google, and the only reason I wouldn't use their code commercially (with correct attribution) if I found it lying in the middle of the road is that I might face legal problems. If you don't want an idea shared, don't tell it to anyone, and I'll respect your right not to be tortured or otherwise forced to reveal it. Otherwise respect my freedom of choice to speak what I know.
But you're strawmanning, because my argument was simply to never trust a security lesson from an outfit like Google.
Re: (Score:2)
What does open/closed source have to do with this?
Yes, why not trust the motives of people who keep everything a secret?
Everyone has to start somewhere.
Absolutely. But a little learning is a dangerous thing where security is concerned - by the writers too, it seems, since they come out with stuff like Python implying imperviousness to buffer overflows (another commenter has covered this well in the posts he links to).
I'd have let them get away with it if they'd chosen a more honestly self-deprecating title. How about, "Brief introduction to inherent problems with the HTML application mod
Re: (Score:2)
Oooh ice burn! The fact of the matter is that Google is not an open source company. No one would accept people claiming that Microsoft is an open source company by pointing out how they have open sourced the ASP.NET MVC framework. Just because Google has open sourced some pet projects that have little to no bearing on their revenue stream doesn't make them an open source company.
Re: (Score:2)
Oh, bullshit. By that logic, a speed limit sign in one location would invalidate speeding tickets for all other locations.
Obligatory (Score:4, Funny)
Customer: Jarlsberg, perhaps?
Owner: Ah! We have Jarlsberg, yessir.
Customer: (suprised) You do! Excellent.
Owner: Yessir. It's..ah,.....it's a bit runny...
Customer: Oh, I like it runny.
Owner: Well,.. It's very runny, actually, sir.
Customer: No matter. Fetch hither the cheese of Norway! Mmmwah!
Owner: I...think it's a bit runnier than you'll like it, sir.
Customer: I don't care how fucking runny it is. Hand it over with all speed.
Owner: Oooooooooohhh........! (pause)
Customer: What now?
Owner: The cat's eaten it.
Customer: (pause) Has he.
Owner: She, sir.
Ooh, cheese! (Score:4, Funny)
Cheese is a kind of meat
A tasty yellow beef
I milk it from my teat
But I try to be discreet
Ooh, cheese.
Ooh, cheese.
Re: (Score:2)
Well cited, Mostly. Although the particular part you cite is actually the "Camembert" portion of the skit.
However, the names of the customer (Mousebender) and the proprietor (Wensleydale) are known [wikipedia.org]. As, apparently, all the cheeses [wikipedia.org] named in the sketch.
Which, if you think about it, says as much about Wikipedia as it does about Monty Python or the Jarlsberg web app.
This is a joke. (Score:2)
i followed the link and ended up at microsoft.com. Really funny Google... reallly funny.
Re: (Score:2)
Cheesy web-app full of bugs (Score:2)
Should Slashdot really be throwing stones?
Web Goat (Score:4, Informative)
Re:Web Goat (Score:5, Funny)
Re: (Score:2)
I hear it features some pretty impressive holes.
Subliminal Job Application (Score:1)
Re: (Score:2)
That was barely a challenge - probably more to gauge how many people were paying attention. GCHQ put out some interesting challenges from time to time (not all of which are still on their site, so look further if you're searching).
Is this software... (Score:1)
Fine print in the last line... (Score:1)
Griefers, unite (Score:2)
Re: (Score:1)
the problem with learning insecurity from web-devs (Score:3, Interesting)
"This codelab doesn't cover overflow vulnerabilities because Jarlsberg is written in Python, and therefore not vulnerable to typical buffer and integer overflow problems. Python won't allow you to read or write outside the bounds of an array and integers can't overflow. While C and C++ programs are most commonly known to expose these vulnerabilities, other languages are not immune. For example, while Java was designed to prevent buffer overflows, it silently ignores integer overflow. "
The thing is google of all organizations, and specifically appspot should know better. I mean, I [seclists.org] already [seclists.org] told [eusecwest.com] them [eusecwest.com]. I mean seriously, look at this [python.org].
Of particular interest is: http://bugs.python.org/issue2620 [python.org]
Just stop with this incessant bullshit 'lol hey my program-by-number language of choice doesnt have memory corruption security issues@#@!#'. It's all assembly at the end, and the processor does whatever you tell it, so everything has this problem. I thought this would be clear from my work, Dowd's actionscript work, nemo's obj-c work, ilja's pascal work, brezinski & mcdonalds ruby work, et cetera.
In short, when you try to talk about things you don't know, especially in the realm of security; you do more harm than good.
Re: (Score:1)
You're being unfair to the Jarlsberg developers. "not vulnerable to typical buffer and integer overflow problems" is not the same as not vulnerable to *any* such problems. I agree they could be more specific, but it is true that you can't just run off the end of an array in Python like you can in C.
The bug report you refer to is about a flaw in the Python runtime environment, which is in fact a C program, and so is vulnerable to all the same problems as other C programs. To exploit this you have to give
done (Score:1)
Jarlsberg (Score:1, Funny)
What a perfect way to prove.... (Score:2)
What a perfect way to prove just how fundamentally broken the technologies of the web are. Content, arguments, scripts, user-data....it's all just one big mess. I got to the point about hosting content on separate domains to avoid some XSS attacks and thought: when the security *fixes* look like kludges, something is very, very wrong.
Debug (Score:2)
Admin:secret
brie:briebrie
cheddar:orange
sardo:odras
This isn't anything new (Score:1)