This ‘meta exercise’ guides you through a series of smaller exercises on
classic web vulnerabilities, created by Bruce Leban, Mugdha Bendre and Parisa
Tabriz. These exercises all use a specially-crafted buggy web application
named Gruyere. You can choose whether to use Gruyere online or run
it locally by downloading
gruyere-code.zip. For more
information, see the Gruyere setup instructions.
Begin by reading through the information on XSS provided by Gruyere.
Do the first three XSS Challenges: File Upload XSS, Reflected XSS and Stored XSS. In each case, try figuring out a solution for yourself first. If you are stuck, look at the provided hints(s). If you are still uncertain after using the hints, view the Exploit section for the solution and try out the exploit for yourself.
Optional: If you have particular interest in or prior experience of web development, try doing one or more of the remaining XSS Challenges.
Begin by reading through the information on XSRF provided by Gruyere.
Attempt the XSRF Challenge. Use the Hint to help you if necessary. If you are still having trouble, view the Exploit section and try out the exploit for yourself to get an idea of how XSRF works.
One of the simplest attacks on a web application involves manipulating the directory structure of the application in order to read or view private data. Almost all applications have security protections against this attack but it is helpful to understand this attack in order to protect against it in your own applications.
Begin by reading the information on path traversal provided by Gruyere.
Attempt the Information Disclosure and Path Tampering challenges. In each case, try to figure out a solution for yourself first. Use the provided hints if you are stuck. If you are still having trouble finding a solution, view the Exploit section and then try the exploit for yourself.
Optional: if you want more practice, login to Immersive Labs and do the lab on directory traversal in web applications. This will involve attacking a target whose IP address is given on the network information panel. Click on the Network button at the top-right of the screen to access this panel. Then run the Chromium browser from the Linux VM’s desktop and type that IP address into the address bar.
Begin by reading the information on client state manipulation provided by Gruyere.
Attempt the Elevation of Privilege and Cookie Manipulation challenges. These are more difficult than the previous challenges, so don’t be afraid to use the hints. (You’ll definitely need to look at the first hint for the Cookie Manipulation challenge.) As before, if you are truly stuck then examine the Exploit section for a solution and try it out.