TOOLS |

Google builds lessons for Web Application Security

Google Gruyere

Google has put some web application security testing training lessons around a vulnerable application that you are allowed to (within the boundaries) attack and test for the purpose to learn about application security threats, testing, and how to develop more secure applications.

This codelab is built around Gruyere - a small, cheesy web application that allows its users to publish snippets of text and store assorted files. "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting,cross-site request forgery, information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general.

screenshot of Google's Gruyere

The codelab is organized by types of vulnerabilities. In each section, you'll find a brief description of a vulnerability and a task to find an instance of that vulnerability in Gruyere. Your job is to play the role of a malicious hacker and find and exploit the security bugs. In this codelab, you'll use both black-box hacking and white-box hacking. In black box hacking, you try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behaviour.

Web Application Exploits and Defenses - Gruyere from Google

Looking for ways train up?

Our article Cyber Security Training that doesn't suck has filtered down the hundreds available in an easy to use list including courses, online training labs and free resources.

Other similar projects to Gruyere:

Web Goat is another tool for testing from owasp.org
Damn Vulnerable Web Application
Damn Vulnerable Linux is a collection of Security Testing tools and Exploitable Applications <- Discontinued.