Consider a Node.js API that serves user-uploaded documents:
Never use GET requests for actions that modify data. 3. SQL and Datastore Injection
Google Gruyere is a deliberately vulnerable web application designed to teach application security basics. It serves as an industry-standard sandbox for developers, testers, and security enthusiasts to learn how attackers exploit web vulnerabilities and how engineers code defenses against them.
Gruyere allows users to upload files and access them via a specific URL structure, such as http://appspot.com . By manipulating the input with dot-dot-slash ( ../ ) sequences, an attacker can break out of the intended directory:
Google Gruyere was created by Bruce Leban, Mugdha Bendre, and Parisa Tabriz—the same engineer known as Google's "Security Princess"—as a self-paced, self-contained course that teaches students how attackers exploit web applications and how developers can protect them. The codelab is built around Gruyere, a small but fully-featured microblogging application intentionally packed with security bugs. gruyere learn web application exploits defenses top
: The goal is to get a logged-in user to delete one of their own snippets without their knowledge. To do this, you can create a malicious HTML page on your own server that automatically submits a request to Gruyere's deletion endpoint. For example, an <img> tag with the src attribute set to https://google-gruyere.appspot.com/123/delete-snippet?id=456 would send a GET request, and the browser would include all of the user's cookies for google-gruyere.appspot.com . If the user is logged in, the snippet will be deleted.
The primary defense is output encoding/escaping . Never trust user input. Use a context-aware sanitization library. In fact, Gruyere itself comes with a sanitize.py module meant to protect the application. You can examine its code to see a real-world attempt at an HTML sanitizer and then attempt to fix or rewrite it as a more advanced exercise.
The most robust defense is a CSRF token —a unique, unpredictable, and secret value associated with the user's session. The server includes this token in a hidden form field, and any state-changing request must include it to be processed. Developers can also use the SameSite cookie attribute (setting it to Lax or Strict ) as a modern, strong defense.
This is a high-risk vulnerability that allows an attacker to access files outside the intended directory. Web applications often serve static resources like images. If the path for an image is taken directly from a URL parameter without validation (e.g., download?file=profile.jpg ), an attacker can inject ../ (parent directory) sequences to navigate the server's file system. For example, a request to https://gruyere.com/123/../secret.txt could trick the server into reading the secret.txt file. Consider a Node
This guide will guide you through the top vulnerabilities you can learn using Gruyere and how to defend against them. What is Gruyere?
By stepping into the role of a hacker, you gain invaluable insight into the attacker's mindset. You learn to see the subtle cracks in an application's logic, the places where trusting the client can lead to disaster, and the hidden configuration pitfalls that await the unwary. The only way to truly know your enemy is to fight them on their own turf. So go ahead, launch your Gruyere instance, and start hacking. The best defense is a good offense.
When another user views the attacker's profile or snippet, their browser executes the script, instantly sending their session cookies to the attacker. The Defense
Defensive concepts and secure coding practices Gruyere is instructive not only about attacks but also about defenses developers must adopt: It serves as an industry-standard sandbox for developers,
If you are looking for a "solid paper" on the vulnerabilities and defenses associated with Google Gruyere, a highly relevant recent research paper is Security Analysis of Web Applications Based on Gruyere
Effective XSS prevention requires a multi-layered approach. First, is essential. Different contexts (HTML body, attributes, JavaScript strings, URLs) require different encoding strategies. Simply stripping angle brackets is insufficient—attackers have numerous ways to bypass such filters.
Keywords integrated: gruyere learn web application exploits defenses top