Google Webmaster Central Blog - Official news on crawling and indexing sites for the Google index

Do know evil

Tuesday, May 04, 2010 at 8:19 AM

(Cross-posted on the Google Online Security Blog)

UPDATE July 13: We have changed the name of the codelab application to Gruyere. The codelab is now located at http://google-gruyere.appspot.com.

We want Googlers to have a firm understanding of the threats our services face, as well as how to help protect against those threats. We work toward these goals in a variety of ways, including security training for new engineers, technical presentations about security, and other types of documentation. We also use codelabs — interactive programming tutorials that walk participants through specific programming tasks.

One codelab in particular teaches developers about common types of web application vulnerabilities. In the spirit of the thinking that "it takes a hacker to catch a hacker," the codelab also demonstrates how an attacker could exploit such vulnerabilities.

We're releasing this codelab, entitled "Web Application Exploits and Defenses," today in coordination with Google Code University and Google Labs to help software developers better recognize, fix, and avoid similar flaws in their own applications. The codelab is built around Gruyere, a small yet full-featured microblogging application designed to contain lots of security bugs. The vulnerabilities covered by the lab include cross-site scripting (XSS), cross-site request forgery (XSRF) and cross-site script inclusion (XSSI), as well as client-state manipulation, path traversal and AJAX and configuration vulnerabilities. It also shows how simple bugs can lead to information disclosure, denial-of-service and remote code execution.

The maxim, "given enough eyeballs, all bugs are shallow" is only true if the eyeballs know what to look for. To that end, the security bugs in Gruyere are real bugs — just like those in many other applications. The Gruyere source code is published under a Creative Commons license and is available for use in whitebox hacking exercises or in computer science classes covering security, software engineering or general software development.

To get started, visit http://google-gruyere.appspot.com/. An instructor's guide for using the codelab is now available on Google Code University.

Posted by Bruce Leban, Software Engineer


Labels: , ,

The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

5 comments:

Synaps Technologies said...

This is good

May 6, 2010 at 1:40 PM
jamal sehwail said...

Good and useful for webmasters, thanks to Google's concerns.

May 12, 2010 at 4:17 PM
mihir said...

agree wid @jamal
useful for all of us.
thanks

May 14, 2010 at 1:22 AM
Aqeel Bilal Malik said...

Perfect, i agree that we must follow these guidelines as to protect our content from such vulnerabilities.

May 20, 2010 at 11:26 PM
Google Webmaster Central said...

Hi everyone,

Since over a year has passed since we published this post, we're closing the comments to help us focus on the work ahead. If you still have a question or comment you'd like to discuss, free to visit and/or post your topic in our Webmaster Central Help Forum.

Thanks and take care,
The Webmaster Central Team

June 6, 2012 at 5:24 AM

Post a Comment