Organize your web security training by building a vulnerable app, exploiting it, and then adding one defense layer at a time. Test each layer individually and in combination. This “Gruyère learning” method produces defenders who think like attackers and attackers who respect defense in depth.
This flaw allows attackers to access files on the server that they shouldn't be able to see, such as configuration files or system passwords. The Exploit gruyere learn web application exploits defenses top
The codelab organizes challenges by vulnerability type, providing real-world examples of: Google Gruyere Cross-Site Scripting (XSS) : Including reflected, stored, and file upload-based XSS. Cross-Site Request Forgery (XSRF/CSRF) Organize your web security training by building a
| Defense Layer | How It Works | Stops Which Exploits | |---------------|--------------|----------------------| | (allowlist) | Reject anything not explicitly allowed | SQLi, Command Injection, Path Traversal | | Output Encoding | Convert < to < etc. | XSS | | Parameterized Queries | Separate SQL code from data | SQL Injection | | CSRF Tokens | Unique, unpredictable tokens per request | CSRF | | SameSite Cookies | Restrict cookie sending to same site | CSRF | | CSP (Content Security Policy) | Control which scripts can run | XSS (Stored/Reflected) | | AuthN/AuthZ Checks | Verify identity and permissions | IDOR | | Allowlist of Outbound IPs | Restrict server-initiated requests | SSRF | | WAF (Web App Firewall) | Signature & anomaly blocking | Many, but not all (bypassable) | This flaw allows attackers to access files on
If you must store data on the client, sign it with a secret key so the server can detect if it has been tampered with. 🗺️ Path Traversal
Organize your web security training by building a vulnerable app, exploiting it, and then adding one defense layer at a time. Test each layer individually and in combination. This “Gruyère learning” method produces defenders who think like attackers and attackers who respect defense in depth.
This flaw allows attackers to access files on the server that they shouldn't be able to see, such as configuration files or system passwords. The Exploit
The codelab organizes challenges by vulnerability type, providing real-world examples of: Google Gruyere Cross-Site Scripting (XSS) : Including reflected, stored, and file upload-based XSS. Cross-Site Request Forgery (XSRF/CSRF)
| Defense Layer | How It Works | Stops Which Exploits | |---------------|--------------|----------------------| | (allowlist) | Reject anything not explicitly allowed | SQLi, Command Injection, Path Traversal | | Output Encoding | Convert < to < etc. | XSS | | Parameterized Queries | Separate SQL code from data | SQL Injection | | CSRF Tokens | Unique, unpredictable tokens per request | CSRF | | SameSite Cookies | Restrict cookie sending to same site | CSRF | | CSP (Content Security Policy) | Control which scripts can run | XSS (Stored/Reflected) | | AuthN/AuthZ Checks | Verify identity and permissions | IDOR | | Allowlist of Outbound IPs | Restrict server-initiated requests | SSRF | | WAF (Web App Firewall) | Signature & anomaly blocking | Many, but not all (bypassable) |
If you must store data on the client, sign it with a secret key so the server can detect if it has been tampered with. 🗺️ Path Traversal