In the last couple of months there were a lot of treads related to web and application security, many government websites were hacked. The list of big company websites that were under attack is lengthy, but I will just mention few – Sony, Nintendo, Sega and there were so many treads for Facebook, so even biggest names in the business can be vulnerable to hackers.
Nobody is 100% assured that even managing low to mid-profile website will not become a target to hackers. I’ve seen many times small websites of my customers being attacked and once spotted; hackers become persistent and try over and over again. Recommended practice - close all potential security holes and even pay some extra money for DDoS attack protection.
Today’s web is so complicated and more often web developers are developing website with cross-site scripting which open many doors like privilege elevation tricks, database injection, cookie exploits, Ajax vulnerabilities and more.
Learning all about web security requires a lot of reading – book, forums, security guides and of course constant communication with other web developers. If you website is based on some of the top CMS like WordPress, Joomla or Drupal, most likely community will take care for all possible problems, however you can do this on your own and also contribute this knowledge to the community.
Getting Started with Gruyere
- Every single Gruyere user have own instance of their application, so there won’t be any conflicts with other user applications. So create account, however a good practice is using different that regular username and password as this is not practice.
- Of course you start and Home page. Look various URLS; you can see that you can enter HTML into New Snippet box.
- Main Gruyere page is a good resource, so every time you stuck somewhere, each section will help you with explanations for particular exploits, so you can be back to demo app after that.
- Good practice is to try to figure out each challenge on your own, without looking at the hints first. Of course if you are completely clueless – click Hint->Exploit and Fixes and you will find the solution for this particular problem.
I really like this practical way of learning more about web application security, definitely a great way to learn more about web security. Just an advice, if you really interested to learn more don’t just start and stop at Gruyere, there are many resources online that can help you learn more.