php[architect] logo

Want to check out an issue? Sign up to receive a special offer.

Google's new microblogging tool has lots of security holes…on purpose

Posted by on May 26, 2010

Google recently released a new microblogging tool called Jarlsberg. Ordinarily, Google’s stuff is software par excellence, but in this case, Jarlsberg, like its namesake cheese, is full of holes—in this case, security holes.

And Google’s done this on purpose.

It’s all part of how Google Labs and Google Code University are educating Web developers on how to make their Web applications more secure. Jarlsberg is much more than a buggy microblogging tool; it’s an entire lesson on what Web developers, no matter their level of security skill, need to look out for when writing code. Google provides developers with the Jarlsberg code, and has a step-by-step walkthrough on security issues present in the system: everything from cross-site scripting (XSS) attacks to client-state manipulation (e.g. elevation of privilege), to denial of service and AJAX vulnerabilities. When going through the walkthrough, you’ll see white or black “cheese” icons, indicating whether you’re putting on your white hat (actually looking at the code in question) or your black one (poking and prodding, experimenting to see what happens) to test the vulnerabilities of Jarlsberg.

The code is written in Python, but for us PHP programmers, it’s not hard to see what’s going on even if you don’t have much familiarity with Python. What’s important, in any event, is the lesson—not the programming language it was written in.

And indeed, the lessons that Jarlsberg teaches are exceedingly important. Many of the issues are cleared up by extending the code just a bit; for example, instead of creating a black list of disallowed HTML tags for posts, it might be better to create a white list to better catch malicious behavior. As my fellow blogger Keith Casey reminded us, less code isn’t always better—and when it comes to security, that notion is quite important.

I highly encourage you to go through the entire walkthrough; it might take you a while to do so, but it’s well-written and, frankly, rather engaging. I have little to no experience in the realm of Web security, and I learned a lot about how simple mistakes can be easily exploited—and this in just the first few pages of the lesson.

After you’ve finished the walkthrough, let us know (in the comments) what you got out of it, and how you’re applying those lessons to your own PHP software projects.


Carl works for Michigan State University's National Superconducting Cyclotron Laboratory as an Applications Programmer. A Zend Certified Engineer, Carl uses PHP in creative ways to solve some of the lab's interesting software problems. He's interested in PHP, human-computer interaction, and all manner of "shiny new things."
Tags: , , ,
 

Leave a comment

Use the form below to leave a comment: