Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Releases a Web-App Case Study For Hackers

timothy posted more than 4 years ago | from the just-this-once dept.

Google 95

Hugh Pickens writes "The San Francisco Chronicle reports that Google has released Jarlsberg, a 'small, cheesy' web application specifically designed to be full of bugs and security flaws as a security tutorial for coders, and encourages programmers to try their hands at exploiting weaknesses in Jarlsberg as a way of teaching them how to avoid similar vulnerabilities in their own code. Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The codelab is organized by types of vulnerabilities." (Read on for more.)"In black box hacking, users try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs. The tutorial notes that accessing or attacking a computer system without authorization is illegal in many jurisdictions but while doing this codelab, users are specifically granted authorization to attack the Jarlsberg application as directed."

Sorry! There are no comments related to the filter you selected.

First Post (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32104328)

First post.

First Reply (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32104384)

Exploiting a page-layout vulnerability whereby my reply will be the 2nd post even though it chronologically isn't.

Re:First Post (0, Offtopic)

drougie (36782) | more than 4 years ago | (#32104702)

man I hate you guys..

HackThisSite (3, Informative)

brainfsck (1078697) | more than 4 years ago | (#32104972)

I had fun messing around on the site. If you're interested in this sort of thing, HackThisSite.org [hackthissite.org] has about a dozen similar "Realistic Missions" as well as forums and many other types of security-related challenges.

That's brilliant (3, Funny)

Jay L (74152) | more than 4 years ago | (#32104360)

The hard part, though, will be keeping up with all the patches for 0-day missing-vulnerabilities.

Re:That's brilliant (0, Troll)

FuckingNickName (1362625) | more than 4 years ago | (#32104670)

Let me guess, we'll learn:
- Sanitise input so random commands can't be executed on the server;
- Don't allow upload of random files such as malformed JPGs which can include executable code;
- Don't allow upload of HTML snippets which can contain cross-site scripting vulnerabilities;
- Don't use session ID info which can be copy-pasted elsewhere, especially not corresponding to other people's accounts;
- Don't do anything Google hasn't thought of, or they'll get pissy. Remember, you're only allowed to be as secure as Google thinks they are!

Continue the list, guys...

Re:That's brilliant (3, Interesting)

networkBoy (774728) | more than 4 years ago | (#32104788)

Five bucks says we start seeing this code in copy-paste applications soon because people too lazy to write and understand the code they're producing are also to lazy to look where the code came from...

Re:That's brilliant (3, Funny)

fractoid (1076465) | more than 4 years ago | (#32108108)

Five bucks says we start seeing this code in copy-paste applications soon because people too lazy to write and understand the code they're producing are also to lazy to look where the code came from...

I hate you for how plausible that sounds.

Re:That's brilliant (1, Funny)

networkBoy (774728) | more than 4 years ago | (#32110888)

that's what I'm here for ;)

Re:That's brilliant (1)

calmofthestorm (1344385) | more than 4 years ago | (#32105398)

I suspect that Google has this so sandboxed to hell they don't give a fuck what you do to it. VM inside a VM inside a VM inside a VM rebooting and losing state every 5 minutes sounds about right. Also alternate between linux and windows in the VMs, and make sure to run Norton antivirus on all hte Windows ones.

For optimal security, randomly vary the VM recursion depth so attackers can't figure it out.

Re:That's brilliant (1)

NatasRevol (731260) | more than 4 years ago | (#32105600)

Norton would slow the VMs down too much....

Re:That's brilliant (1)

calmofthestorm (1344385) | more than 4 years ago | (#32105658)

Good point, we can replace it with a busy waiting process that also thrashes disk, only just a little bet less. Save RAM too.

Re:That's brilliant (0)

Anonymous Coward | more than 4 years ago | (#32114182)

That's pretty much what it teaches, including the bit about not doing anything Google haven't suggested. But enjoy your down-mod for implying that Google aren't the pinnacle of insight.

Re:That's brilliant (0)

Anonymous Coward | more than 4 years ago | (#32104814)

We hate you too.

Right on (1)

cbev (1769390) | more than 4 years ago | (#32104378)

It sounds like a fantastic idea. My favorite course in college was a security course, and the message there was to 'think like an adversary.' At the very least, could be motivation to get more people interested in computer science.

Try Jarlsberg, the newest app from Google... (4, Funny)

Anonymous Coward | more than 4 years ago | (#32104436)

It's odd to see Google striving to be like Microsoft.

Is Google (0)

Anonymous Coward | more than 4 years ago | (#32104452)

now a botnet?

Yours In Perm,
K. Trout

Re:Try Jarlsberg, the newest app from Google... (0)

Anonymous Coward | more than 4 years ago | (#32108860)

Another proof that Micro$oft is years ahead of google and the rest of them.

Re:Try Jarlsberg, the newest app from Google... (0)

Anonymous Coward | more than 4 years ago | (#32115906)

What on earth does that mean?

" designed to be full of bugs and security flaws " (0)

Anonymous Coward | more than 4 years ago | (#32104444)

Obligatory - um, do I really have to say it?

Re:" designed to be full of bugs and security flaw (1)

pwnies (1034518) | more than 4 years ago | (#32104456)

...yes?

Re:" designed to be full of bugs and security flaw (1)

SCVirus (774240) | more than 4 years ago | (#32106678)

it.

Re:" designed to be full of bugs and security flaw (1)

fractoid (1076465) | more than 4 years ago | (#32108110)

NI!

Jarlsberg (5, Informative)

clone53421 (1310749) | more than 4 years ago | (#32104458)

For those who missed the reference, Jarlsberg [wikipedia.org] is a variety of cheese which has large, irregular holes.

Re:Jarlsberg (0)

debile (812761) | more than 4 years ago | (#32104570)

This name is so cheesy!

Re:Jarlsberg (1)

WrongSizeGlass (838941) | more than 4 years ago | (#32104896)

But is it as cheesy as the Moon [google.com] ?

Re:Jarlsberg (2, Funny)

Jarlsberg (643324) | more than 4 years ago | (#32108042)

Everybody loves Jarlsberg. Especially me.

clone53421, do you have a CSC or CIS degree? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32110786)

See subject, and answer its question.

clone53421 - what makes you such a big geneeus? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#32110870)

Mr Bigshot clone says that APK is not a geeneeus but unlike Clonedouche APK has written real tools like APKHideSpywareFromUser.exe and APKLaunchMalwareExe.exe, witch are NOT malware and that is a vishous LIBEL pur-pectuated by nobodys who don't have degrees or at least have not told me they have degrees. So tell us clone have YOU ever written malware? If you haven't what makes you think your qualified to tell us what APK has done? Huh? Huh?

How is that news? (0, Troll)

gksmith (1277536) | more than 4 years ago | (#32104546)

Microsoft has been doing that for decades with such products as Windows and Office.

Re:How is that news? (1)

Weazol (1805024) | more than 4 years ago | (#32104614)

pwned. It is a great idea however it is lacking an achievement system.

Re:How is that news? (0)

Anonymous Coward | more than 4 years ago | (#32104760)

Microsoft was just trying to copying Linux (at least that's what you freetards claim).

How long... (0)

Thelasko (1196535) | more than 4 years ago | (#32104576)

until Jarlsberg is blocked by all of the major security providers?

For those who may ask... (4, Funny)

Juba (790756) | more than 4 years ago | (#32104618)

The webapp is written in Python.

Re:For those who may ask... (1)

kuzb (724081) | more than 4 years ago | (#32106100)

...which is silly, considering it's far from the most popular language for writing web applications.

Re:For those who may ask... (1)

lonecrow (931585) | more than 4 years ago | (#32107520)

Perhaps the point is that it is not the tool it is how it is used that counts.

Re:For those who may ask... (1)

kuzb (724081) | more than 4 years ago | (#32107702)

If you're going to teach vulnerabilities and possibly how to exploit them, it's stupid to use a tool that very few people (comparatively speaking) use. The idea here is to show people the problems and give them a means to see the problems in action. Of course, most people will have to learn a new language in order for this to be useful which diminishes the effort.

Re:For those who may ask... (2, Insightful)

lonecrow (931585) | more than 4 years ago | (#32108224)

OK So lets consider the two major attack types: Cross site scripting (XSS) and sql injection SQLi.

If I am launching a XSS attack against your website I don;t really care what language its scripted in do I? I just try to defeat what ever process your using to sanitize my text.

For a SQL injection attack I would think the database engine is more important to know than the script that is passing the crappy dynamic sql to it.

I am not much of a hacker, I just try to defend my sites the best I can. In all my research very little is language specific.

Re:For those who may ask... (1)

totally bogus dude (1040246) | more than 4 years ago | (#32108388)

The point isn't really for you to attack the site. The point is for people writing web applications to look at this deliberately and openly buggy application and see the similarities to their own code. If they can't easily understand the Jarslberg code then they might not make that connection, thus defeating the whole point of the exercise.

Most of the things they're demonstrating are obvious and well-known to anyone who actively thinks about security and sanitisation of user-supplied data. So while you can argue that any good programmer with knowledge of a handful languages would be able to easily understand Python code, it's not really aimed at the good programmers in the first place.

it's python (1)

story645 (1278106) | more than 4 years ago | (#32108478)

so while you can argue that any good programmer with knowledge of a handful languages would be able to easily understand Python code, it's not really aimed at the good programmers in the first place.

It's aimed at someone who's familiar enough with programming to be doing web dev and serious enough about writing good code to bother using this app. Those people will have no trouble with python, which really isn't all that hard, especially since the apps source is basically self commenting and really clean. I know almost nothing about web dev, but don't have much trouble following the code (granted, I code in python).

Re:For those who may ask... (1)

lonecrow (931585) | more than 4 years ago | (#32108682)

Your right in the sense that if you don't speak python you will have trouble with half the value from this site. Half the value is that you can walk through the attacks and understand how they work which has nothing to do with the app source code.

The other half of the value is being able to walk through the source and see where the programmer could have plugged some holes. I suspect anyone taking the time to use this site will be able to muddle through. And of course everything google does starts in python then later they maybe add java. I would love to use app engine but I am not strong enough in java yet. (do they even support java on app engie?)

There are other pen test websites like this. You can download hacme bank its in vb.net I think. http://www.foundstone.com/us/resources/proddesc/hacmebank.htm [foundstone.com]

Re:For those who may ask... (1)

kuzb (724081) | more than 4 years ago | (#32115986)

The problem here is once you know something can be done, you need to know the best ways to avoid doing it. Each language has its own pitfalls, and identifying the bad code and how to deal with it is the really important part of this exercise. Basically, knowing there is a problem, and knowing how to fix the problem are different things.

I'm not trying to say what Google has done is a bad thing - I just think it would have made more sense to cover popular languages. This would have a greater benefit to the world.

Re:For those who may ask... (0)

Anonymous Coward | more than 4 years ago | (#32122850)

I see 14 black box and 6 white box challenges. Unless you're peeking at the code when you're not supposed to the language doesn't matter most of the time

Re:For those who may ask... (1)

negRo_slim (636783) | more than 4 years ago | (#32113396)

Of course, most people will have to learn a new language in order for this to be useful which diminishes the effort.

It's not like you have to be fluent in a language to understand the code to some degree. There are a lot of concepts in programming that transfer amongst the various languages and it would take no more than a trip to Wikipedia to see how any language works in relation to any other.

Reasons for Python (1)

LeoMaheo (1683908) | more than 4 years ago | (#32145666)

Perhaps the reasons for choosing Python are
1) the application runs on Google's App Engine, which supports (only) Python and the Java VM. (So Google saved lots of time reusing their AppEngine machinery.)
2) Python being an easy to understand language.

a tutorial from China (0, Flamebait)

FuckingNickName (1362625) | more than 4 years ago | (#32104624)

would be better. I have no trust in being taught security principles by a closed source company whose greatest asset is information about me.

All the good security texts are by people who are open with their ideas, open with their methods and open with their code.

Re:a tutorial from China (2, Insightful)

Spad (470073) | more than 4 years ago | (#32104674)

...while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs.

Those closed [google.com] source [android.com] bastards!

Re:a tutorial from China (1, Informative)

FuckingNickName (1362625) | more than 4 years ago | (#32104746)

Android is built on Linux, which is open source. Google's apps on Android are closed source.
Chromium is built on WebKit, which is built on KDE's HTML rendering engine, which is open source. Chrome is closed source.

So even when they're taking great advantage of open source, like Apple, they can't resist making sure the full kaboodle is closed. And these are just just their minor projects.

Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).

Re:a tutorial from China (1)

Darkness404 (1287218) | more than 4 years ago | (#32104854)

However, for both Android and Chrome, you can easily roll your own version without much trouble. Yeah, Google applications are nice on Android, but you can use alternates.

So even when they're taking great advantage of open source, like Apple, they can't resist making sure the full kaboodle is closed. And these are just just their minor projects.

However, Google does a lot more to foster openness than Apple. Google doesn't like locked-down Android phones (otherwise why would they release the Nexus One?), Apple however seems to love having a closed platform.

Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).

Well of course it is closed. It is more or less a trade secret. If PageRank was open source, Google would be no more. However, unlike closed source programs, it doesn't hinder usability and it works better than competitors.

Re:a tutorial from China (1)

FuckingNickName (1362625) | more than 4 years ago | (#32105148)

Well of course it is closed. It is more or less a trade secret.

Yeah, that's everyone's excuse for closed source.

If PageRank was open source, Google would be no more.

I didn't realise Google were such a one-trick po.. OK, yes I did. Good! Let them "innovate" in better ways than by hiding their super sekrit algorithms from each other. No wonder there's been so little advance in search quality over the past decade.

However, unlike closed source programs, it doesn't hinder usability and it works better than competitors.

Sometimes it does, sometimes it doesn't. There are half a dozen good search engines and, if you're just using Google, you're getting a fairly skewed view of the web. And it certainly hinders usability that others can't improve PageRank!

Re:a tutorial from China (1)

negRo_slim (636783) | more than 4 years ago | (#32113536)

Yeah, that's everyone's excuse for closed source.

Then don't use the products? For Christ's sake man your going to have to put up with a mixed eco system, hegemony is not going to be a good thing regardless of whether it's closed or open source.

There is nothing that says you are entitled to effective search, or entitled to a pointless touchscreen "phone" (sorry they are nothing more than two way radios to me and I can't understand people spending more than 50 bucks on a phone, but that's my problem).

You can avoid all the closed source stuff in the world and shut that trap of yours, no one is stopping you.

Re:a tutorial from China (1)

Bromskloss (750445) | more than 4 years ago | (#32105740)

Their major search thing is as closed as they promised it wouldn't be (though no-one remembers that any more).

I didn't know they had promised that. Do you have a link?

Re:a tutorial from China (1)

Lunix Nutcase (1092239) | more than 4 years ago | (#32104782)

*yawn* Come back to us when you show us when they've open sourced the adsense/adwords platform, or all their Linux kernel changes they've kept to themselves, or GoogleF, or their PageRank code. You know, things that are actually fundamental to their revenue stream.

Re:a tutorial from China (0)

Anonymous Coward | more than 4 years ago | (#32105048)

Come back to us when you provide full access to all your code that you base your business on. You know, what you earn money from. The thing that puts food on your table, pays the rent, allows your children to have all their toys.

Oh, I'm sorry. Your living in your parents basement and don't have to earn a living.

Re:a tutorial from China (1)

FuckingNickName (1362625) | more than 4 years ago | (#32105200)

Almost all the code I've deployed since 2001 is or has been (in cases where it's way too outdated to be usable) available publicly. I shan't link to it, because it'd link my real identity to my /. account - I value privacy, even though most of today's 'net users don't.

The first and only office-y job I had before that, before self-employment, guarded its code jealously. While I went some small way to opening things up, they weren't that interested. Since then I've been able to fully form and stick to principle.

Try again.

Re:a tutorial from China (1)

Capt. Skinny (969540) | more than 4 years ago | (#32107062)

It's one thing to promote open source (I think it's great myself), but I'll never understand disdain for closed source. If someone wants to spend their time or money producing code, what they do with it is up to them. If you don't like it, don't use it -- but at least respect the freedom of choice of the person or organization that wrote it.

Re:a tutorial from China (1)

FuckingNickName (1362625) | more than 4 years ago | (#32109062)

I don't "respect" Google, and the only reason I wouldn't use their code commercially (with correct attribution) if I found it lying in the middle of the road is that I might face legal problems. If you don't want an idea shared, don't tell it to anyone, and I'll respect your right not to be tortured or otherwise forced to reveal it. Otherwise respect my freedom of choice to speak what I know.

But you're strawmanning, because my argument was simply to never trust a security lesson from an outfit like Google. Since my previous posts, I've gone through it, and it turns out the tutorial is so basic and rendered redundant by many far more in-depth security challenges on the web.

Re:a tutorial from China (0)

Anonymous Coward | more than 4 years ago | (#32111774)

What does open/closed source have to do with this? And just because you already know everything about security doesn't mean that other people do. Everyone has to start somewhere. Otherwise Slashdot for Dummies [amazon.com] wouldn't be such a big seller!

Re:a tutorial from China (1)

FuckingNickName (1362625) | more than 4 years ago | (#32113382)

What does open/closed source have to do with this?

Yes, why not trust the motives of people who keep everything a secret?

Everyone has to start somewhere.

Absolutely. But a little learning is a dangerous thing where security is concerned - by the writers too, it seems, since they come out with stuff like Python implying imperviousness to buffer overflows (another commenter has covered this well in the posts he links to).

I'd have let them get away with it if they'd chosen a more honestly self-deprecating title. How about, "Brief introduction to inherent problems with the HTML application model we're obsessed with, and necessary workarounds"?

Re:a tutorial from China (0)

Anonymous Coward | more than 4 years ago | (#32118666)

So you don't drink Coca-Cola or eat Big Macs or KFC, right? These companies all keep their ingredients secret and *advertise* that fact. FYI, the only major soft drink brand with no secret ingredients is 7UP.

Funny for you to criticize the title when your post is titled "a tutorial from China". I think every book on programming should be titled "hey, get a clue, there's no way that reading a book is going to teach you programming".

Re:a tutorial from China (1)

Lunix Nutcase (1092239) | more than 4 years ago | (#32105988)

Oooh ice burn! The fact of the matter is that Google is not an open source company. No one would accept people claiming that Microsoft is an open source company by pointing out how they have open sourced the ASP.NET MVC framework. Just because Google has open sourced some pet projects that have little to no bearing on their revenue stream doesn't make them an open source company.

Re:a tutorial from China (0)

Anonymous Coward | more than 4 years ago | (#32104936)

It's flamebait to not trust Google? I'm not sure I like the 'net any more.

Carte blanche to hack Google? (0)

Anonymous Coward | more than 4 years ago | (#32104646)

Any cracker who comes along and attacks Google will now be able to say that they were doing it as part of this project. Yes, I realize there are many disclaimers, but it will be at least an appearance of an excuse were none previously existed.

Re:Carte blanche to hack Google? (1)

ceejayoz (567949) | more than 4 years ago | (#32105112)

Oh, bullshit. By that logic, a speed limit sign in one location would invalidate speeding tickets for all other locations.

Obligatory (3, Funny)

Yvan256 (722131) | more than 4 years ago | (#32104668)

Customer: Jarlsberg, perhaps?
Owner: Ah! We have Jarlsberg, yessir.
Customer: (suprised) You do! Excellent.
Owner: Yessir. It's..ah,.....it's a bit runny...
Customer: Oh, I like it runny.
Owner: Well,.. It's very runny, actually, sir.
Customer: No matter. Fetch hither the cheese of Norway! Mmmwah!
Owner: I...think it's a bit runnier than you'll like it, sir.
Customer: I don't care how fucking runny it is. Hand it over with all speed.
Owner: Oooooooooohhh........! (pause)
Customer: What now?
Owner: The cat's eaten it.
Customer: (pause) Has he.
Owner: She, sir.

Ooh, cheese! (3, Funny)

dangitman (862676) | more than 4 years ago | (#32104784)

Cheese is a kind of meat
A tasty yellow beef
I milk it from my teat
But I try to be discreet
Ooh, cheese.
Ooh, cheese.

Re:Obligatory (1)

idontgno (624372) | more than 4 years ago | (#32105122)

Well cited, Mostly. Although the particular part you cite is actually the "Camembert" portion of the skit.

However, the names of the customer (Mousebender) and the proprietor (Wensleydale) are known [wikipedia.org] . As, apparently, all the cheeses [wikipedia.org] named in the sketch.

Which, if you think about it, says as much about Wikipedia as it does about Monty Python or the Jarlsberg web app.

This is a joke. (1)

MyLongNickName (822545) | more than 4 years ago | (#32104696)

i followed the link and ended up at microsoft.com. Really funny Google... reallly funny.

Re:This is a joke. (1)

Bat Country (829565) | more than 4 years ago | (#32115138)

Meth: not even once.

Cheesy web-app full of bugs (1)

MyLongNickName (822545) | more than 4 years ago | (#32104718)

Should Slashdot really be throwing stones?

I do the same thing (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#32104800)

Every Sunday, I go to the park dressed as an old woman. My purse is open, I have a heavy gold necklace on, and I am counting my money in my wallet. It's a teaching exercise in taking advantage of old women. Anything they get from me, they get to keep. In this way, I hope to educate... and so on and so forth ... to cut a long story short, the end result will be that old women will be more secure in my area.

Re:I do the same thing (0)

Anonymous Coward | more than 4 years ago | (#32105052)

Google have got to that hubris stage of hiring random pretty women with low qualifications, and their security product is shitty articles rather than, you know, essential stuff like intrusion detection. Whence the IE leak - imagine what else has been achieved by governments and organised criminals!

This is why I left accountancy... the big firms were rife with this behaviour, and while it was fun for a while, working became impossible once you saw that competence was being replaced with eye candy.

Re:I do the same thing (0)

Anonymous Coward | more than 4 years ago | (#32107302)

at least with accounting firms, the cute trim is an unstated part of what the client is paying for

in silicon valley the tendency is for the entire place to fill up with airhead producers and marketing assistants, and they don't even date the super genius programmers supposedly at the core of the operation

Web Goat (4, Informative)

dhadley519 (876667) | more than 4 years ago | (#32105266)

Interested parties should also be aware of web goat by the owasp team. http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project [owasp.org]

Re:Web Goat (5, Funny)

halcyon1234 (834388) | more than 4 years ago | (#32107174)

Yeah-- as a rule of thumb, I don't follow any link on Slashdot that matches /^.*goat.*$/i

Re:Web Goat (1)

Kesch (943326) | more than 4 years ago | (#32107342)

I hear it features some pretty impressive holes.

Re:Web Goat (0)

Anonymous Coward | more than 4 years ago | (#32111458)

/^.*goat.*$/i

Perhaps you meant /goat/i ? No need for anchors and dot-star matching.

Subliminal Job Application (1)

everweb (1099901) | more than 4 years ago | (#32105334)

Is this another Google talent scout tool like their billboard of a few years ago ? Find the hidden easter egg and you're given a phone number at Google HR to call...

Re:Subliminal Job Application (1)

FuckingNickName (1362625) | more than 4 years ago | (#32105544)

That was barely a challenge - probably more to gauge how many people were paying attention. GCHQ put out some interesting challenges from time to time (not all of which are still on their site, so look further if you're searching).

Is this software... (1)

fotoguzzi (230256) | more than 4 years ago | (#32105348)

...Beta?

Fine print in the last line... (1)

Hylandr (813770) | more than 4 years ago | (#32105504)

"As Directed"...

Check out smashthestack.org (0)

Anonymous Coward | more than 4 years ago | (#32106052)

There's a few different games to be played. Different games are located on different SSH ports (2222-2227).

While I don't have any involvement in this, I know my friend helps host one of them, and to get started visit http://logic.smashthestack.org:88

It's fun and will make you think... it can actually get quite aggravating when you can't beat a "level" because you're over thinking it lol. The games involve PHP exploits, buffer overflow, etc. Give it a try!

Griefers, unite (1)

halcyon1234 (834388) | more than 4 years ago | (#32107242)

AppEngine will start a new instance of Jarlsberg for you, assign it a unique id ... http://jarlsberg.appspot.com/123/ [appspot.com] (where 123 is your unique id). If you want to share your instance of Jarlsberg, just share the full URL with them including your unique id.

...it is possible to put your Jarlsberg instance into a state where it is completely unusable. If that happens, you can push a magic "reset button" to wipe out all the data in your instance and start from scratch. To do this, visit this URL with your instance id: http://jarlsberg.appspot.com/resetbutton/123 [appspot.com]

I think I've spotted a vulnerability:

$griefingIsFun = 0;
while (1)
get("http://jarlsberg.appspot.com/resetbutton/" . $griefingIsFun++);

Re:Griefers, unite (1)

Vroo (1804526) | more than 4 years ago | (#32108238)

There's a captcha there.

hi (0, Troll)

janejordan (1805290) | more than 4 years ago | (#32107852)

I didn't know they had promised that. Do you have a link? Croatia Accommodation Map [welcome-to-croatia.com]

the problem with learning insecurity from web-devs (3, Interesting)

justinnf (1799382) | more than 4 years ago | (#32107884)

is that they generally don't know wtf they're talking about; I only looked at the part on buffer/integer related overflows; where they take the moment to not only give me flat out wrong advice, but also see fit to try and propagandize me:

"This codelab doesn't cover overflow vulnerabilities because Jarlsberg is written in Python, and therefore not vulnerable to typical buffer and integer overflow problems. Python won't allow you to read or write outside the bounds of an array and integers can't overflow. While C and C++ programs are most commonly known to expose these vulnerabilities, other languages are not immune. For example, while Java was designed to prevent buffer overflows, it silently ignores integer overflow. "

The thing is google of all organizations, and specifically appspot should know better. I mean, I [seclists.org] already [seclists.org] told [eusecwest.com] them [eusecwest.com] . I mean seriously, look at this [python.org] .

Of particular interest is: http://bugs.python.org/issue2620 [python.org] ... reported: 2008-04-11 22:35:37 bug closed: ?????

Just stop with this incessant bullshit 'lol hey my program-by-number language of choice doesnt have memory corruption security issues@#@!#'. It's all assembly at the end, and the processor does whatever you tell it, so everything has this problem. I thought this would be clear from my work, Dowd's actionscript work, nemo's obj-c work, ilja's pascal work, brezinski & mcdonalds ruby work, et cetera.

In short, when you try to talk about things you don't know, especially in the realm of security; you do more harm than good.

Re:the problem with learning insecurity from web-d (0)

Anonymous Coward | more than 4 years ago | (#32110776)

Pet peeve much?

1. How many people in the world do you think know about this issue? There's info on a Python bug list and slides for a single security conference. Guess what? Very, very few developers, security or not, follow every Python bug or every conference paper. So instead of complaining about how negligent the author is, why don't you just tell HIM about the bug? Get used to the fact that NOBODY in the real world pays active attention to academic advances in any field. If one of these advances is yours, it's up to you to spread the word. Blame the world if you like, but you're the only one who can/will change it.

2. There is no way in hell this codelab does more harm than good. So the author did not mention one attack vector? Of course he didn't. Nobody in the world is aware of every single vulnerability that is conceivably out there. And so you think this means nobody should ever tell others what they know about security? Great idea!

3. There's a big difference between a function breaks in Python because of what will almost certainly be a transient bug in the language implementation, and a function breaks in C++ because it breaks by design. Get off your high horse.

Re:the problem with learning insecurity from web-d (1)

soma (20246) | more than 4 years ago | (#32112428)

You're being unfair to the Jarlsberg developers. "not vulnerable to typical buffer and integer overflow problems" is not the same as not vulnerable to *any* such problems. I agree they could be more specific, but it is true that you can't just run off the end of an array in Python like you can in C.

The bug report you refer to is about a flaw in the Python runtime environment, which is in fact a C program, and so is vulnerable to all the same problems as other C programs. To exploit this you have to give Python weird input. To corrupt memory in C, however, you just use regular language features, e.g., increment a pointer.

But anyway, spending your time looking for buffer and integer overflows in web applications is like looking to fix holes in the walls of a house where a tree has destroyed the roof - there are much bigger problems to worry about. Jarlsberg and WebGoat nicely illustrate this.

done (1)

ViralInfection (1221188) | more than 4 years ago | (#32108574)

http://jarlsberg.appspot.com/ [appspot.com] /saveprofile?action=new&uid=lol&pw=cats&is_author=True&is_admin=True *sigh*, I was expecting more of a challenge from the big G.

hi (0, Offtopic)

katehudson06 (1805440) | more than 4 years ago | (#32108674)

We’re all waiting for your next article of course. Holiday Apartments Bol [apartments...roatia.com]

Jarlsberg (2, Funny)

GlobalColding (1239712) | more than 4 years ago | (#32108684)

For The Cheese!

What a perfect way to prove.... (1)

npcole (251514) | more than 4 years ago | (#32108732)

What a perfect way to prove just how fundamentally broken the technologies of the web are. Content, arguments, scripts, user-data....it's all just one big mess. I got to the point about hosting content on separate domains to avoid some XSS attacks and thought: when the security *fixes* look like kludges, something is very, very wrong.

This isn't anything new (1)

ioexcept (654974) | more than 4 years ago | (#32109774)

Not sure why this is making headlines, Microsoft has been doing this for years.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?