Learn Web Application Exploits and Defenses for free~Penetration Testing
Are you willing to
Learn Web Application Exploitation and Defence against that? Here is the
chance for you. Google Labs provides a Lab to learn Web Application
for free of cost.
Penetration Testing :
This code-lab is built around Gruyere /ɡruːˈjɛər/ - a small, cheesy web
application that allows its users to publish snippets of text and store
assorted files. "Unfortunately," Gruyere has multiple security bugs
ranging from cross-site scripting and cross-site request forgery, to
information disclosure, denial of service, and remote code execution.
The goal of this code-lab is to guide you through discovering some of
these bugs and learning ways to fix them both in Gruyere and in general.
The code-lab is organised by types of vulnerabilities. In each section, you'll find a brief description of a vulnerability and a task to find an instance of that vulnerability in Gruyere. Your job is to play the role of a malicious hacker and find and exploit the security bugs. In this code-lab, you'll use both black-box hacking and white-box hacking. In black box hacking, you try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behaviour. You do not have access to the source code, although understanding how to view source and being able to view HTTP headers (as you can in Chrome or Live HTTP Headers for Firefox) is valuable. Using a web proxy like Burp or WebScarab may be helpful in creating or modifying requests. In white-box hacking, you have access to the source code and can use automated or manual analysis to identify bugs. You can treat Gruyere as if it's open source: you can read through the source code to try to find bugs. Gruyere is written in Python, so some familiarity with Python can be helpful. However, the security vulnerabilities covered are not Python-specific and you can do most of the lab without even looking at the code. You can run a local instance of Gruyere to assist in your hacking: for example, you can create an administrator account on your local instance to learn how administrative features work and then apply that knowledge to the instance you want to hack. Security researchers use both hacking techniques, often in combination, in real life.
They'll tag each challenge to indicate which techniques are required to solve them:
Challenges that can be solved just by using black box techniques.
Challenges that require that you look at the Gruyere source code.
Challenges that require some specific knowledge of Gruyere that will be given in the first hint.
Penetration Testing :
- Learn how hackers find security vulnerabilities!
- Learn how hackers exploit web applications!
- Learn how to stop them!
- How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
- How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.
Gruyere
The code-lab is organised by types of vulnerabilities. In each section, you'll find a brief description of a vulnerability and a task to find an instance of that vulnerability in Gruyere. Your job is to play the role of a malicious hacker and find and exploit the security bugs. In this code-lab, you'll use both black-box hacking and white-box hacking. In black box hacking, you try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behaviour. You do not have access to the source code, although understanding how to view source and being able to view HTTP headers (as you can in Chrome or Live HTTP Headers for Firefox) is valuable. Using a web proxy like Burp or WebScarab may be helpful in creating or modifying requests. In white-box hacking, you have access to the source code and can use automated or manual analysis to identify bugs. You can treat Gruyere as if it's open source: you can read through the source code to try to find bugs. Gruyere is written in Python, so some familiarity with Python can be helpful. However, the security vulnerabilities covered are not Python-specific and you can do most of the lab without even looking at the code. You can run a local instance of Gruyere to assist in your hacking: for example, you can create an administrator account on your local instance to learn how administrative features work and then apply that knowledge to the instance you want to hack. Security researchers use both hacking techniques, often in combination, in real life.
They'll tag each challenge to indicate which techniques are required to solve them:
Challenges that can be solved just by using black box techniques. Challenges that require that you look at the Gruyere source code. Challenges that require some specific knowledge of Gruyere that will be given in the first hint.WARNING:Accessing or attacking a computer system without authorisation is illegal in many jurisdictions. While doing this code-lab, you are specifically granted authorisation to attack the Gruyere application as directed. You may not attack Gruyere in ways other than described in this code-lab, nor may you attack App Engine directly or any other Goggle service. You should use what you learn from the code-lab to make your own applications more secure. You should not use it to attack any applications other than your own, and only do that with permission from the appropriate authorities (e.g., your company's security team).
Muhammad Shahbaz (17 Years Old) is a Young blogger, SEO Expert, & Cyber Security Expert from Pakistan 
0 Comments:
Post a Comment
If you're having issues, Please leave an email address I can contact you on -
I advise you to also "subscribe to the comment feed" and get email updates when I respond to your question.
Hyperlinks are not allowed, Spam/advertising comments will NEVER BE TOLERATED and will be deleted immediately!
Thanks for reading,
Administrator Of FOCSoft