Google's new Jarlsberg server system: full of holes like 'cheese'

Network Administration - A new online solution from Google for web developers, including server systems with a wide range of security vulnerabilities available today, so they can search, discover, and claim. Waterfall and find ways to fix them.

This set of solutions consists of two main elements: a web application in the form of mini-blogs prepared in an unsafe situation - called Jarlsberg, named after a Norwegian country cheese, part The rest is a detailed step-by-step guide for detecting vulnerabilities in the web application.

The guidance information from Google Code University specifies cross-site scripting, path traversal, code execution and denial of service - DOS. After that, participants had to overcome a small challenge to find and exploit vulnerabilities on Jarlsberg server systems, with instructions, of course. For those 'students' who do not pass the challenge, each part will come with answers and suggestions to improve their skills.

This can be considered an online security course for Google, and Jarlsberg server system is available on Google's App Engine, or if you want, you can go home and run it locally. And analyzing the source code to find vulnerabilities is really unnecessary.

Not all vulnerabilities are found and exploited by a browser, for example to get a specific file through the direct path path traversal mechanism, students will need to use the command line tool. another is called curl. This may be due to the mechanism of pre-translating the paths of some browsers like http://jarlsberg.appspot.com/305378746796/./secret.txt to http://jarlsberg.appspot.com/secret.txt , and therefore cannot exploit the vulnerability.