Wednesday, May 5

Google's Web Application Security Training Resource - Jarlsberg.appspot.com

"Do no evil".  No really.  The google software team is really firing on all cylinders lately first it was a passive web application security tool ratproxy, then the active web application security assessment tool skipfish, now the people at Google Code University have released a training framework for web developers, security analysts, and anyone else interested in some of the most prevalent web application security threats.

Google Code University has released a distributable web application named jarlsberg coded in python which provides excellent examples of vulnerable application issues.  This includes some common and less-than-common tests (Reflected XSS via AJAX!), including XSS, XSRF, DoS, Code Execution, SQLi, and various others.

Before this, people used webgoat, and other forms of vulnerable applications that came packaged in some of the more popular security live-cds.  This makes all of those obsolete, as it is simple to setup and use, and to reset back to original state.

Although this application isn't as complex as many real web applications, its explanations of the issues, and exploitation hints, make it the perfect test-bed for a simple introductory course (and self-study material) into web application security testing (more to come on this soon!).
Post a Comment