What do you call a piece of software that has been designed to have as many security holes as possible? Why Gruyere of course! More interestingly why would Google create such a defective monster?
The idea is that Gruyere - a "cheesy" microblogging application - demonstrates just how not to do things. To sum it up I can do no better than to quote its own website's description:
"This codelab is built around Gruyere /ɡruːˈjɛər/ - a small, cheesy web application that allows its users to publish snippets of text and store assorted files. "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Gruyere and in general."
The codelab walks you through each of the vulnerabilities organised by type. It demonstrates black box hacking by getting you to examine errors, HTTP requests and responses. In short using anything you can find out about the site without having access to its code. It then moves on to white box hacking where you do have access to the code - imagine that this is an open source application.
Gruyere is written in Python and uses the Google AppEngine framework and so for white box hacking at least being able understand Python code is an advantage but the vulnerabilities illustrated are not Python specific. For black box hacking of course what the site is written in is more or less irrelevant.
Each challenge is tagged by a "holey cheese" icon to indicate what sort of knowledge is needed to achieve the hack. You also are given a brief overview of the vulnerability and then a statement of the challenge. For example the first challenge is about cross site scripting and the challenge is:
Can you upload a file that allows you to execute an arbitrary script on the Gruyere domain?
Following the statement of the challenge you have some optional hints and a description of the exploit and the fix. This is really good stuff and well worth paying for - so it's a huge bonus that its all completely free.
Each user is given a sandboxed instance of the application so that there is no interaction from the activities of your fellow hackers. You can work as a team, however, if you share the personalised URL that gives access to your instance. You can also reset your instance of the app to get you back to a stable state.
The app has many features of a modern interactive web application but all in one place they look tempting to any attacker. For example, users can include HTML in their comments and upload files. There is a user account system which includes admin accounts. It implements a simple template language - obviously called Gruyere Template language - so that users can create templates for their messages. More interestingly it is a heavy Ajax user and so you get an opportunity to investigate the much overlooked problems of Ajax security.
As the web site says:
This covers the basic features provided by Gruyere. Now let's break them!
In case you are worried about possible legal action as the result of attempting to attack a web site, Google is thoughtful enough to print a statement that permits you to perform the attack, so long as you are going to use the knowledge to improve the security of sites rather than attack others - security training is always a two-edged sword.
Finally just in case you are not a cheese expert - yes Swiss cheese has holes in it and Gruyere is a Swiss cheese but it doesn't have holes in it. Is this a subtle joke or should the application have been called Emmental?
Whatever the site is called, this is a great opportunity to find out about what makes a site vulnerable and what to do about it.
Will you learn to think like a hacker?
Perhaps not, as attackers tend to follow their own strange paths to create vulnerabilities and don't just follow the paths laid out for them - but it is well worth spending the time trying it out and discovering that hacking is not only possible but sometimes it's easy. Of course how many users will recognise features common to their own sites in Gruyere is a worrying thought....
You can find Gruyere (the program not the cheese) at: