Google is offering programmers their own personal sandbox application—called Jarlsburg—and hints of how to exploit the common vulnerabilities purposefully left in it. Although Google is basically walking folks through how to attack apps, publicizing this info is a necessary evil in order to build safer programmers. We have to start thinking of each line of code, cookie, HTTP request, and configuration option as another attack surface.
The table of contents lists the who’s who of vulnerabilities (though there are a lot more out there). Several of these attacks no one would’ve even dreamed of a few years ago, so the sad reality is that the web is chock full of vulnerable “legacy” apps just waiting to be exploited—unless we can fix them in time.
- Cross-Site Scripting (XSS)
- XSS Challenges
- File Upload XSS
- Reflected XSS
- Stored XSS
- Stored XSS via HTML Attribute
- Stored XSS via AJAX
- Reflected XSS via AJAX
- More about XSS
- Client-State Manipulation
- Elevation of Privilege
- Cookie Manipulation
- Cross-Site Request Forgery (XSRF)
- XSRF Challenge
- More about preventing XSRF
- Cross Site Script Inclusion (XSSI)
- XSSI Challenge
- Path Traversal
- Information disclosure via path traversal
- Data tampering via path traversal
- Denial of Service
- DoS – Quit the Server
- DoS – Overloading the Server
- More on Denial of Service
- Code Execution
- Code Execution Challenge
- More on Remote Code Execution
- Configuration Vulnerabilities
- Information disclosure #1
- Information disclosure #2
- Information disclosure #3
- AJAX vulnerabilities
- DoS via AJAX
- Phishing via AJAX
- Other Vulnerabilities
- Buffer Overflow and Integer Overflow
- SQL Injection