BT
x Your opinion matters! Please fill in the InfoQ Survey about your reading habits!

Learning About Security Vulnerabilities by Hacking Google’s Jarlsberg

by Abel Avram on May 07, 2010 |

For those who have wondered what it is like to hack into another system, Google has created a special lab named Jarlsberg containing a web application full of security holes ready to be exploited by developers who want to learn hands-on what are some of the possible vulnerabilities, how malicious users use them and what can be done to prevent such exploits.

The lab is organized around different types of security vulnerabilities, and for each one there is task to find and exploit the vulnerability. Also, the lab uses three main techniques:

  • Black-box – the source code of the application is undisclosed and the user needs to guess how the server works to manage to exploit security vulnerabilities
  • White-box – the source code (Python) of the application is available similar to an open source application. The user can read the lines to find out weaknesses
  • Gray-box – the lab offers some hints on how the application is written without disclosing the entire source code

Jarlsberg uses a number of selected features meant to increase the attack surface of the application:

  • HTML in Snippets: Users can include a limited subset of HTML in their snippets.
  • File upload: Users can upload files to the server, e.g., to include pictures in their snippets.
  • Web administration: System administrators can manage the system using a web interface.
  • New accounts: Users can create their own accounts.
  • Template language: Jarlsberg Template Language(JTL) is a new language that makes writing web pages easy as the templates connect directly to the database. Documentation for JTL can be found in jarlsberg/jtl.py.
  • AJAX: Jarlsberg uses AJAX to implement refresh on the home and snippets page. You should ignore the AJAX parts of Jarlsberg except for the challenges that specifically tell you to focus on AJAX.

Jarlsberg has the following security vulnerabilities to be discovered, exploited and later fixed:

  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery (XSRF)
  • Cross-site Script Inclusion (CSSI)
  • Client-state Manipulation
  • Path Traversal
  • Denial of Service (DoS)
  • Code Execution
  • Configuration Vulnerabilities
  • AJAX Vulnerabilities

The lab can be run locally in order to have complete control over the entire learning process or it can be run as a sandboxed instance in Google’s cloud. Most of the lab is released under Creative Commons Attribution 3.0, while some portions are under Creative Commons Attribution-No Derivative Works 3.0 license, making it ideal for universities and organizations which want to train their students or employers in understanding and protecting their systems from security vulnerabilities. 

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

this is great! by JavaFreak Coder

I always wanted to learn try and learn how these attacks are made. However, i was afraid as to try attacks (XSS or SQL) injection on public available severs, worrying that that might put me in trouble. This will be a learning ground for lot of software engineers and students.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT