Don’t ever assume that you are safe from hacker attacks. Even some of the biggest companies and agencies out there like Sony or even the CIA have been vulnerable to hacker attacks. The best course of action is to make sure your own site is not left open to attacks. To exploit further vulnerabilities, you will also need to learn how to find and fix other bugs that may have a significant impact to your site like denial-of-service, information disclosure, or remote code execution.
What can you do? Well first, you need to understand how Web security exploits work and guard against them. There is a codelab application called Gruyere that allows you to beat hackers at their own game. In other words, you can find your site’s vulnerabilities before they can. The site explains that you will need to have some familiarity with HTML, templates, cookies, etc., to get the most out of the lab. The aim of the lab is to help you discover the bugs and learn ways to fix them. You will also learn more about how an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).
It is crucial to remember that hacking (attacking a computer without authorization)in any instance is illegal. You will be granted authorization to attack Gruyere only as directed but you should not use it to attack other applications.
To access Gruyere, go to http://google-gruyere.appspot.com/start. AppEngine will start a new instance of Gruyere for you, assign it a unique id and redirect you to http://google-gruyere.appspot.com/123/ (where 123 is your unique id). Each instance of Gruyere is “sandboxed” from the other instances so your instance won’t be affected by anyone else using Gruyere. You’ll need to use your unique id instead of 123 in all the examples. If you want to share your instance of Gruyere with someone else (e.g., to show them a successful attack), just share the full URL with them including your unique id.
The Gruyere source code is available online so that you can use it for white-box hacking. You can browse the source code at http://google-gruyere.appspot.com/code/ or download all the files from http://google-gruyere.appspot.com/gruyere-code.zip. If want to debug it or actually try fixing the bugs, you can download it and run it locally. You do not need to run Gruyere locally in order to do the lab.
-Written by Sharren