[ISN] Google tutorial lets developers play malicious hacker

From: InfoSec News <alerts_at_private>
Date: Wed, 5 May 2010 00:22:29 -0500 (CDT)
http://www.theregister.co.uk/2010/05/05/google_web_app_security_course/

By Dan Goodin in San Francisco
The Register
5th May 2010

Google has released a free online tutorial that gives developers the 
chance to play the role of malicious hacker by exploiting real security 
bugs in a mock web application.

The codelab is premised on a "small, cheesy web application" dubbed 
Jarlsberg that is chock-full of bugs that can be exploited to take down 
webservers, perform remote code-execution attacks, and spring 
information-disclosure leaks. It can be downloaded and run on a local 
machine to teach developers firsthand the perils of insecure coding.

Google's "Web Application Exploits and Defenses" codelab can be used in 
a black-box setting, in which hackers aren't privy to the source code of 
the application they're attacking, or a white-box setting, in which they 
are. Jarlsberg is written in Python, although hackers, of course, need 
not be versed in the language in order to make mincemeat of the 
application.

The tutorial is designed to give developers - and anyone else - hands-on 
experience finding and fixing security bugs in the typical web 
application. It's broken up into various classes of vulnerabilities such 
as XSS, or cross-site scripting; CSRF, or cross-site request forgeries; 
and path traversal. Students are taught not only how to identify 
specific types of vulnerabilities but how to exploit them to carry out 
certain types of attacks.

[...]


_______________________________________________
Best Selling Security Books and More!
Shop InfoSec News
http://www.shopinfosecnews.org/ 
Received on Tue May 04 2010 - 22:22:29 PDT

This archive was generated by hypermail 2.2.0 : Tue May 04 2010 - 22:27:26 PDT