It may seem counterproductive for Google to teach people to think like a cyber criminal but that is exactly what the goal of Google's "Web Application Exploits and Defenses" codelab is.
Used in either a black-box setting where the student has no access to the source code, or in a white-box setting giving the student complete access to the code, Jarlsberg is used to teach web developers how certain web based attacks work and what can be done to fix them.
Personally, I love these types of tutorials because I like the challenge. Having to poke around the different entry points using nothing more than educated trial and error really gives you a great introspective into how the various attacks work. In fact, much of what I know regarding web application security was learned from these types of hacker challenges that you can find all over the web. Unfortunately, there is a major flaw in the design of this codelab, but it is one that exists in many similar tutorials found on the Web. That flaw is that there are no walkthroughs or solutions available for the developer who just wants to see how the different exploits work.
For example, learning how a Reflected XSS attack works the student is given two hints. If these don’t help, they can opt for the “Exploit and Fix” tab that provides the following steps on how to perform this exploit:
To exploit, create a URL like the following and get a victim to click on it:
Google’s intent is to get developers thinking like the bad guys because that is really the only way that we can really see, and learn, how the simplest things can be exploited on a web site. Unfortunately, there are two predominant attitudes that seem to be prevalent in a majority of organizations that interfere with what Google is trying to accomplish and both can be tied into the fact that Google does not give learners and easy way out.
As we saw in a previous post, many organizations simply don’t dedicate the resources to properly protect web applications. Even though “Web Application Exploits and Defenses” is completely free, the time spent to go through the lessons can be costly. Without a solutions guide or a walkthrough, even organizations who buy into these lessons may begin to wonder why their developers are spending so much time playing around on the Web.
People who play video games are confronted with challenges every time they turn the power on their favorite console. These challenges require the player to figure out how to accomplish a certain task. If after several failed attempts, they still cannot complete the mission they can hop on their favorite game site and find a walkthrough that will take them through the steps needed for success.
Not all developers are interested in learning how these vulnerabilities work. We’ve all worked with brilliant programmers who outright believed that their job was to create the application. Security was someone else’s responsibility. While Google’s tutorial promises to help add to their skill set, plenty of people will be turned off because there is no walkthrough provided. Frustrated with the lack of a “cheat”, many people will lose interest in continued learning.
Organizations and developers who care about security will certainly take this as golden opportunity to better understand how to make their applications safer. Encouraging divergent thinking and problem solving skills are proven techniques to enhance learning. Using these methods, Google is certainly serious about teaching about security. The question is, what are we to do with applications created by those who don’t take security as seriously as they should?