For this lab we will be using this website: https://google-gruyere.appspot.com/#0__hackers

Go here to start: https://google-gruyere.appspot.com/start

If stuck on characters, there are plenty of ASCII tables & HTML URL Encoding References online.

When traversing through these challeneges there are a few methods that you will need to know.

• Black box hacking

  • finding security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior. * You do not have access to the source code, although understanding how to view source and being able to view http headers (as you can in Chrome or LiveHTTPHeaders for Firefox) is valuable

• White-box hacking

  • you have access to the source code and can use automated or manual analysis to identify bugs

About the code

here is the code

• gruyere.py is the main Gruyere web server
• data.py stores the default data in the database (there is an admin account and 2 default users)
• gtl.py is the Gruyere template language
• sanitize.py is the Gruyere module used for sanitizing HTML to protect the application from security holes
• resources/.. holds all template files, images, CSS, etc.

Features and Technologies

• HTML in Snippets: Users can include a limited subset of HTML in their snippets.
• File upload: Users can upload files to the server, e.g., to include pictures in their snippets.
• Web administration: System administrators can manage the system using a web interface.
• New accounts: Users can create their own accounts.
• Template language: Gruyere Template Language(GTL) is a new language that makes writing web pages easy as the templates connect directly to the database. Documentation for GTL can be found in gruyere/gtl.py.
• AJAX: Gruyere uses AJAX to implement refresh on the home and snippets page. You should ignore the AJAX parts of Gruyere except for the challenges that specifically tell you to focus on AJAX.

Get to know the features of the site

• View another's users snippets by following the "All snippets" link on the main page and check out what they have their homepage set to
• Sign up for an account yourself
• Fill in account profile
• Create a snippet
• Upload a file to your account

On the right side of the Codelab page, you will find links to challenges. To further understand XSS techniques, complete the following 3 challenges:

• Reflected XSS
• Stored XSS
• Stored XSS via HTML Attribute

My first attempt included making an HTML file in order to execute an arbitrary script. To do this I went into the command line and made a file called yummy.txt. I then made the script below and change the file name to yummy.html with the command ren yummy.txt yummy.html. When I uploaded the file to the website, it spit out a link and when I went to the link it popped up with my alert!

Here is the link and the pop up!

My second attempted was with a message instead of a number. In order to do this I changed my script slightly to just incorporate the message within quotation marks as you can see below.

I ran into an issue in which my browser wasn't loading the new message, it kept loading the old alert(1) so I just opened another browser and input the link and the message worked. I could have also refreshed my browsers cookies if I wanted to.

• Use ren to rename files in windows, ie ren cheese.txt cheese.html
• an arbitrary script or arbitrary code execution is something that allows executing code without permission.

There's an interesting problem here. Some browsers have built-in protection against reflected XSS attacks. There are also browser extensions like NoScript that provide some protection. If you're using one of those browsers or extensions, you may need to use a different browser or temporarily disable the extension to execute these attacks.

• In the URL I put <script>alert(1)</script> and it worked!