Skip to main content

Google hands out lesson in web security

Google has released a micro-blogging application that’s full of holes – and that’s just the way it was meant to be.

The web app (opens in new tab), cheesily named Jarlsberg, allows users to post snippets of text and store files - but it comes with a raft of security problems.

Released after a week in which the security of social networking sites has been very much in the spotlight, Jarlsberg forms part of a Google Codelab entitled 'Web Application Exploits and Defenses'.

The program is designed to help developers improve the security of their code by presenting them with a number of problems, ranging from the easily fixed to more serious flaws that require access to the software’s source code.

"Jarlsberg was written specifically to teach about security," Google’s Bruce Leban explained on the company’s Open Source blog (opens in new tab). "It is a tool to show how to exploit web applications and, in turn, protect against those exploits when developing software."

By providing programmers with a fully-working but insecure application, Google hopes to help them find and fix bugs in their own code that could lead to information disclosure, denial-of-service and remote code execution.

The search giant’s Online Security blog (opens in new tab) lists some of the problems highlighted by the web tutorial, including "cross-site scripting, cross-site request forgery and cross-site script inclusion, as well as client-state manipulation, path traversal and AJAX and configuration vulnerabilities".

Google warns developers that they download the Jarlsberg code at their own risk. monitors all leading technology stories and rounds them up to help you save time hunting them down.