Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Learning About Security Vulnerabilities by Hacking Google’s Jarlsberg

Learning About Security Vulnerabilities by Hacking Google’s Jarlsberg

Leia em Português

This item in japanese


For those who have wondered what it is like to hack into another system, Google has created a special lab named Jarlsberg containing a web application full of security holes ready to be exploited by developers who want to learn hands-on what are some of the possible vulnerabilities, how malicious users use them and what can be done to prevent such exploits.

The lab is organized around different types of security vulnerabilities, and for each one there is task to find and exploit the vulnerability. Also, the lab uses three main techniques:

  • Black-box – the source code of the application is undisclosed and the user needs to guess how the server works to manage to exploit security vulnerabilities
  • White-box – the source code (Python) of the application is available similar to an open source application. The user can read the lines to find out weaknesses
  • Gray-box – the lab offers some hints on how the application is written without disclosing the entire source code

Jarlsberg uses a number of selected features meant to increase the attack surface of the application:

  • HTML in Snippets: Users can include a limited subset of HTML in their snippets.
  • File upload: Users can upload files to the server, e.g., to include pictures in their snippets.
  • Web administration: System administrators can manage the system using a web interface.
  • New accounts: Users can create their own accounts.
  • Template language: Jarlsberg Template Language(JTL) is a new language that makes writing web pages easy as the templates connect directly to the database. Documentation for JTL can be found in jarlsberg/
  • AJAX: Jarlsberg uses AJAX to implement refresh on the home and snippets page. You should ignore the AJAX parts of Jarlsberg except for the challenges that specifically tell you to focus on AJAX.

Jarlsberg has the following security vulnerabilities to be discovered, exploited and later fixed:

  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery (XSRF)
  • Cross-site Script Inclusion (CSSI)
  • Client-state Manipulation
  • Path Traversal
  • Denial of Service (DoS)
  • Code Execution
  • Configuration Vulnerabilities
  • AJAX Vulnerabilities

The lab can be run locally in order to have complete control over the entire learning process or it can be run as a sandboxed instance in Google’s cloud. Most of the lab is released under Creative Commons Attribution 3.0, while some portions are under Creative Commons Attribution-No Derivative Works 3.0 license, making it ideal for universities and organizations which want to train their students or employers in understanding and protecting their systems from security vulnerabilities. 

Rate this Article


Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • this is great!

    by JavaFreak Coder,

    Your message is awaiting moderation. Thank you for participating in the discussion.

    I always wanted to learn try and learn how these attacks are made. However, i was afraid as to try attacks (XSS or SQL) injection on public available severs, worrying that that might put me in trouble. This will be a learning ground for lot of software engineers and students.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p