And Google’s done this on purpose.

It’s all part of how Google Labs and Google Code University are educating Web developers on how to make their Web applications more secure. Jarlsberg is much more than a buggy microblogging tool; it’s an entire lesson on what Web developers, no matter their level of security skill, need to look out for when writing code. Google provides developers with the Jarlsberg code, and has a step-by-step walkthrough on security issues present in the system: everything from cross-site scripting (XSS) attacks to client-state manipulation (e.g. elevation of privilege), to denial of service and AJAX vulnerabilities. When going through the walkthrough, you’ll see white or black “cheese” icons, indicating whether you’re putting on your white hat (actually looking at the code in question) or your black one (poking and prodding, experimenting to see what happens) to test the vulnerabilities of Jarlsberg.

The code is written in Python, but for us PHP programmers, it’s not hard to see what’s going on even if you don’t have much familiarity with Python. What’s important, in any event, is the lesson—not the programming language it was written in.

And indeed, the lessons that Jarlsberg teaches are exceedingly important. Many of the issues are cleared up by extending the code just a bit; for example, instead of creating a black list of disallowed HTML tags for posts, it might be better to create a white list to better catch malicious behavior. As my fellow blogger Keith Casey reminded us, less code isn’t always better—and when it comes to security, that notion is quite important.

I highly encourage you to go through the entire walkthrough; it might take you a while to do so, but it’s well-written and, frankly, rather engaging. I have little to no experience in the realm of Web security, and I learned a lot about how simple mistakes can be easily exploited—and this in just the first few pages of the lesson.

After you’ve finished the walkthrough, let us know (in the comments) what you got out of it, and how you’re applying those lessons to your own PHP software projects.

Google has just opened registration for Code Jam 2010. If you’ve never heard of it before, you are probably wondering what it is and why you should care. Code Jam is an annual programming competition sponsored by Google. The top 25 scores receive cash prizes and if you make it to the final round, they fly you to their offices to compete on site. This year, the finals are being held in Dublin!

For specifics on when the various rounds are scheduled and how to advance to each round, check the rules page. If you’re curious what types of problems you may face and want to get some practice, you can review problems and solutions from previous years.

As a reader of this blog, you probably have more than a passing interest in PHP. Code Jam allows you to devise solutions in PHP, and just about any other language imaginable. Analysis of previous years’ solutions shows that there is a small group of PHP coders participating. However, our language of choice was upstaged by Ruby and—GASP!—Perl.

Let’s show how clever PHP programmers can be and make sure we are properly represented this year. If you plan on participating and using PHP, please leave a comment including your Code Jam user name. While collaboration during the contest is strictly forbidden, you can follow everyone’s progress and cheer your fellow PHPers on.

The idea behind skipfish consists in recursively crawling a web applications, following links and forms which lead to targets in the current host. The output is a generated sitemap whose nodes are annotated with possible security issues found via heuristics run on the behavior and content encountered. For example, skipfish points out shell command and SQL injection vectors by injecting typical patterns and looking for error conditions in the response.

Technology

skipfish is written in pure C, with a custom http stack to perform blazingly fast (up to 2000 requests per second have been reported on local instances.) The source code can be compiled on POSIX-compliant systems, so that skipfish runs on Linux, Mac OS X and Windows via cygwin.
skipfish emulates http authentication and session cookies in its generated requests, and can exclude a set of predefined urls such as logout pages and static content. The result of a completed scan is a json data structure available for further processing. The json data source is animated via a javascript-powered html report for the end-user’s pleasure.

Usage

skipfish is definitely one of the tools to keep in the web developer box. No security tool, and particularly  a scanner, should be employed single-handedly: there are vulnerabilities which are impossible or non practical to test remotely (see buffer overflows) and have been deliberately left out from skipfish’s vision, as known limitations.
A combination of several tools could instead be helpful: nowadays more and more software is being transported on the cloud, and the web has evolved from a browsing platform to a full-featured set of remote applications, whose field Google leads with Gmail, Google Docs and its other products. Automated scanning is one of the ways to go to outline critical entry-points while optimizing the time spent on analysis.