It always amazes me how many web programmers do not understand the myriad ways a web application can be vulnerable.
In my own experience, I have run into simple form processing scripts that exposed everything on an institutional web server, a profile editor that allowed anyone to change anyone else’s profile, a file uploader that allowed an attacker to fill up the network file server hosted on a different machine, a well-known web based course management platform that enables students to execute arbitrary JavaScript code on the instructor’s browser, a building concierge service that sends passwords in clear text and allows pretty much anyone to obtain a physical key to anyone’s apartment, and many other examples.
Often, such vulnerabilities go unaddressed due to ignorance or reluctance to accept responsibility.
However, while the humor in Bobby Tables is immediately apparent to me, I cannot claim to understand all possible ways to attack a web application. I just know that there are possibly a zillion ways of attacking anything I write with malicious people thinking up new ways every day.
Enter Google’s Web Application Exploits and Defenses code lab.
It exposed me at least six ways of attacking a web app that I had not thought of before.
Now, of course, one can claim that such a well written and detailed hands-on workshop in how to exploit web apps is dangerous because it can also be used by malicious people.
I would point out that there is no shortage of information and/or tools for such people. They seem to be much more motivated and better adapted to attack web applications than the median programmer and systems administrator seems to be to protect them.
If you are in that group of well-intentioned people but suspect that your understanding of web application security may not be all it needs to be, or even if you think you are the best of the best of the best but could use the practice, try Web Application Exploits and Defenses. Your time will not be wasted.