For those who have wondered what it is like to hack into another system, Google has created a special lab named Jarlsberg containing a web application full of security holes ready to be exploited by developers who want to learn hands-on what are some of the possible vulnerabilities, how malicious users use them and what can be done to prevent such exploits.
The lab is organized around different types of security vulnerabilities, and for each one there is task to find and exploit the vulnerability. Also, the lab uses three main techniques:
- Black-box – the source code of the application is undisclosed and the user needs to guess how the server works to manage to exploit security vulnerabilities
- White-box – the source code (Python) of the application is available similar to an open source application. The user can read the lines to find out weaknesses
- Gray-box – the lab offers some hints on how the application is written without disclosing the entire source code
Jarlsberg uses a number of selected features meant to increase the attack surface of the application:
- HTML in Snippets: Users can include a limited subset of HTML in their snippets.
- File upload: Users can upload files to the server, e.g., to include pictures in their snippets.
- Web administration: System administrators can manage the system using a web interface.
- New accounts: Users can create their own accounts.
- Template language: Jarlsberg Template Language(JTL) is a new language that makes writing web pages easy as the templates connect directly to the database. Documentation for JTL can be found in
jarlsberg/jtl.py
.- AJAX: Jarlsberg uses AJAX to implement refresh on the home and snippets page. You should ignore the AJAX parts of Jarlsberg except for the challenges that specifically tell you to focus on AJAX.
Jarlsberg has the following security vulnerabilities to be discovered, exploited and later fixed:
- Cross-site Scripting (XSS)
- Cross-site Request Forgery (XSRF)
- Cross-site Script Inclusion (CSSI)
- Client-state Manipulation
- Path Traversal
- Denial of Service (DoS)
- Code Execution
- Configuration Vulnerabilities
- AJAX Vulnerabilities
The lab can be run locally in order to have complete control over the entire learning process or it can be run as a sandboxed instance in Google’s cloud. Most of the lab is released under Creative Commons Attribution 3.0, while some portions are under Creative Commons Attribution-No Derivative Works 3.0 license, making it ideal for universities and organizations which want to train their students or employers in understanding and protecting their systems from security vulnerabilities.