BEAT THE HACKERS AT THEIR OWN GAME.

This codelab shows how web application vulnerabilities can be exploited and how to defend against these attacks. The best way to learn things is by doing, so you'll get a chance to do some real penetration testing, actually exploiting a real application. Specifically, you'll learn the following:

How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF).

How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution.

To get the most out of this lab, you should have some familiarity with how a web application works (e.g., general knowledge of HTML, templates, cookies, AJAX, etc.).

Jarlsberg

This codelab is built around Jarlsberg /yärlz'·bərg/, a small, cheesy web application that allows its users to publish snippets of text and store assorted files. "Unfortunately," Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The goal of this codelab is to guide you through discovering some of these bugs and learning ways to fix them both in Jarlsberg and in general.

The codelab is organized by types of vulnerabilities. In each section, you'll find a brief description of a vulnerability and a task to find an instance of that vulnerability in Jarlsberg. Your job is to play the role of a malicious hacker and find and exploit the security bugs. In this codelab, you'll use both black-box hacking and white-box hacking. In black box hacking, you try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior. You do not have access to the source code, although understanding how to view source and being able to view http headers (as you can in Chrome or LiveHTTPHeaders for Firefox) is valuable. Using a web proxy like Burp or WebScarab may be helpful in creating or modifying requests. In white-box hacking, you have access to the source code and can use automated or manual analysis to identify bugs. You can treat Jarlsberg as if it's open source: you can read through the source code to try to find bugs. Jarlsberg is written in Python, so some familiarity with Python can be helpful. However, the security vulnerabilities covered are not Python-specific and you can do most of the lab without even looking at the code. You can run a local instance of Jarlsberg to assist in your hacking: for example, you can create an administrator account on your local instance to learn how administrative features work and then apply that knowledge to the instance you want to hack. Security researchers use both hacking techniques, often in combination, in real life.

We'll tag each challenge to indicate which techniques are required to solve them:

 Challenges that can be solved just by using black box techniques.

 Challenges that require that you look at the Jarlsberg source code.

 Challenges that require some specific knowledge of Jarlsberg that will be given in the first hint.

Setup

To access Jarlsberg, go to http://jarlsberg.appspot.com/start. AppEngine will start a new instance of Jarlsberg for you, assign it a unique id and redirect you to http://jarlsberg.appspot.com/123/ (where 123 is your unique id). Each instance of Jarlsberg is "sandboxed" from the other instances so your instance won't be affected by anyone else using Jarlsberg. You'll need to use your unique id instead of 123 in all the examples. If you want to share your instance of Jarlsberg with someone else (e.g., to show them a successful attack), just share the full URL with them including your unique id.

The Jarlsberg source code is available online so that you can use it for white-box hacking. You can browse the source code at http://jarlsberg.appspot.com/code/ or download all the files from http://jarlsberg.appspot.com/jarlsberg-code.zip. If want to debug it or actually try fixing the bugs, you can download it and run it locally. You do not need to run Jarlsberg locally in order to do the lab.

 Running locally

Reset Button

As noted above, each instance is sandboxed so it can't consume infinite resources and it can't interfere with anyone else's instance. Notwithstanding that, it is possible to put your Jarlsberg instance into a state where it is completely unusable. If that happens, you can push a magic "reset button" to wipe out all the data in your instance and start from scratch. To do this, visit this URL with your instance id:

http://jarlsberg.appspot.com/resetbutton/123

Bhopal Gas Tragedy: An Endless nightmare

Twenty-five years have passed since that night of terror and death in Bhopal, which saw a cloud of deadly gases explode out of a faulty tank in a pesticide factory and silently spread into the homes of sleeping people. Although no official count of casualties has ever been done, estimates based on hospital and rehabilitation records show that about 20,000 people died and about 5.7 lakh suffered bodily damage, making it by far the world’s worst industrial disaster ever.

Many who breathed the highly toxic cocktail that night suffered a horrible death with multiple organ failure. Those who survived have suffered multiple diseases for 25 years. A report of the Gas Tragedy Relief Department of the state says that the morbidity rate (occurrence of ailments) is nearly 20% among gas-affected persons compared to about 5% among the unaffected population.

Following the disaster, there was an international outcry for relief for the victims and punishment to those responsible for the gas leakage. The pesticide plant from where the gas leaked belonged to Union Carbide India, a subsidiary of the US-based Union Carbide Company. They were asked to pay compensation and arrange for medical treatment. The matter immediately got embroiled in legal controversies. Thus began a long and painful struggle of the victims for compensation, medical attention and rehabilitation that has spluttered along for a quarter century.

In February 1989, the Supreme Court announced that it was approving a settlement for Bhopal victims under which Union Carbide agreed to pay Rs 713 crore for compensation to victims, while the government agreed to drop all criminal cases against it. However, due to intense public shock and anger at letting off the culprits, the court agreed to reopen the criminal cases in 1991. Two installments of compensation — of up to Rs 25,000 each — have been given till now to the injured, one in 1994 and the next in 2004.

N D Jayaprakash of the Bhopal Gas Peedit Sangharsh Sahyog Samiti (BGPSSS), one of the groups fighting for the rights of gas victims, calls this a massive fraud because the number of gas-affected persons was arbitrarily fixed by the government at 105,000, including about 3,000 dead. In reality, nearly 20,000 people have died, and 5.7 lakh have suffered injuries. The compensation amount — Rs 713 crore, paid by Union Carbide — was meant for about 1 lakh persons but has been distributed among nearly 6 lakh people. Of the Rs 713 crores, Rs 113 crores was for loss of livestock and property. The balance Rs 600 crore distributed among 5.74 lakh persons works out to about Rs 12,410 per victim on average. In contrast, in the Uphaar tragedy in Delhi, families of those who died got between Rs 15 lakh to Rs 18 lakh each, while injured persons got Rs 1 lakh each. In addition, they got interest at the rate of 9% per annum for the roughly six years that the legal proceedings took.

Stung by this injustice, the victims approached the apex court, which told them to approach the state government. In Bhopal, the Welfare Commissioner rejected their demand. They appealed to the MP high court. On November 30 this year, the HC too dismissed the petition. “We will go back to the Supreme Court,” says Jayaprakash.

Even after 25 years, gas victims are suffering serious health problems. On an average, 6,000 gas-affected patients visit hospitals in Bhopal every day, that is, about 2 million visits per year. The government adopted a one-size-fits-all policy for categorisation of injuries — a person with compromised lungs may ultimately develop other diseases, besides being unable to work fully. But such distinctions were not maintained and meagre compensation was doled out. Sadhana Pradhan, who has worked among the gas victims since the disaster in 1984 points out that no line of treatment was ever evolved. “The government has treated the victims on an ad hoc basis,” she says. Medical records are yet not centralized as recommended by the monitoring committee set up by the Supreme Court in 2004. As a result, doctors have no idea about the patients’ history. “This has led to development of multi-drug resistant (MDR) TB in many cases,” says Dr Saxena, who spent 11 years in the government’s TB hospital in Bhopal.

Another dimension of the ongoing tragedy of Bhopal is the poisonous chemical waste lying around in the abandoned premises of the pesticide plant. Several committees have inspected it and found 44,000 kgs of tarry residues and 25,000 kgs of alpha naphthol lying in the open since 1984. Various studies have established that the soil, ground water, vegetables and even breast milk have traces of toxic chemicals.

Abdul Jabbar Khan of the Bhopal Gas Peedith Mahila Udyog Sangathan (BGPMUS) says that actually there is much more poisonous waste, which the company used to routinely bury in the premises since 1969. “There is no piped water supply. People still use contaminated groundwater daily,” he says.

INDIAN PELE - BAICHANG BHUTIA

Full Name: Baichung Bhutia

Born: December 15, 1976, Tinkitam, Sikkim

Major Teams: East Bengal Club, JCT Mills, Mohun Bagan AC, Bury FC, India

Playing Position: Striker

Achievements:

First Indian to play professional football in England

Led the national football team to title triumph at the LG Cup in Vietnam in 2002

Led East Bengal club to LG Asean Club Cup football championship victory in Jakarta in 2003

Baichung Bhutia is probably the most famous and popular Football player India has ever produced. Also known as the “First Poster Boy of Indian Football”, Bhutia has contributed a lot to make the game popular among the young crowds of the nation even in the places where the game of Football has not been much popular.

Early Life

Primarily hailing from the North-Eastern state of Sikkim, Baichung was born on the 15th of December 1976 at Tinkitam, Sikkim. He got his basic education at St. Xaviers School, Pakyong, East Sikkim. Since the very beginning he showed his serious interested towards the game of Football, and encouragement from his uncle Karma Bhutia helped him move forward towards his destiny. Due to his extra-ordinary capabilities in the game of Football, Bhutia got a scholarship from Tashi Namgyal Academy, a well known school in Gangtok at the age of 9.

Football Career

Bhutia caught the attention of everybody for the first time at the Subroto Cup 1992 held at Delhi, wherein he was bestowed upon the Best Player award. Bhaskar Ganguly, the former goalkeeper of the Indian Football team was specially impressed by Baichung’s talent and supported him to move ahead to professional Football. At the age of 16 years, Bhutia joined East Bengal, a reputed Football club from Calcutta (now Kolkata), and further went ahead to join a yet another well known Football club, JCT Mills, Phagwara in the year 1995. The same year, JCT was able to win the National Football League after Bhutia joined them, and scored the maximum number of goals in the League for JCT. Baichung was bestowed upon the “Indian Player of the Year 1996” award.

Further, he came back to East Bengal in the year 1997 and led the team in the year 1998-99. In the Semi Final match of the Federation Cup Football 1997 played between between East Bengal and Mohun Bagan, Baichung scored a hatrick and led East Bengal win the match by 4-1. Bhutia has been the only Football player ever to score a hatrick in a Football match between the most famous arch rivals of the Indian Football – East Bengal and Mohun Bagan. The same year, he earned the recognition of being the Highest Scorer ever in any match of the National Football League. In a match against Mahindra United played on the 9th of December 1997, he scored 5 goals alone for his team JCT Mills.

In the year 1999, Bhutia began playing for an English Football club named Bury F.C., and played over there till the year 2002. Upon his return to India in the year 2002, he played for Mohun Bagan AC for 1 year and then again moved back to his initial club, East Bengal and played for them until he reverted back to Mohun Bagan in the year 2006. In the meantime, he also played for Perak, a Malaysian Football club. Currently he is in a contract with Mohun Bagan, and will playe with them till the year 2010.

Other Achievements

Bhutia has been honored with Indian Player of the Year award twice in the years 1995 and 2008. In the year 1999 he was bestowed upon the Sikkim State Award, and Arjuna Award. In the year 2008, he has been conferred upon the Padmashree Award.

NTERESTING DEFINATIONS

INTERESTING  DEFINATIONS 

School: A place where Papa pays and Son plays.

Life Insurance: A contract that keeps you poor all your life so that you

can die Rich.

Lecture: An art of transferring information from the notes of the Lecturer

to the notes of the students without passing through "the minds of either"

Conference: The confusion of one man multiplied by the number present.

Compromise: The art of dividing a cake in such a way that everybody

believes he got the biggest piece.

Conference Room: A place where everybody talks, nobody listens and

everybody disagrees later on.

Father: A banker provided by nature.

Politician: One who shakes your hand before elections and your Confidence

after?

Classic: Books, which people praise, but do not read.

Smile: A curve that can set a lot of things straight.

Yawn: The only time some married men ever get to open their mouth.

Etc. A sign to make others believe that you know more than you actually do.

Committee: Individuals who can do nothing individually and sit to decide

that nothing can be done together.

Experience: The name men give to their mistakes.

MANDVI BEACH

MANDVI BEACH

Kutch Mandvi is an important beach in Gujarat, situated at Mandvi. Mandvi is the historic port town of Maharao of Kutch, located at a distance of 75 km from Bhuj. Kutch Mandvi was once inhabited by the Maharao of Kutch and was an important seaport. The private beach of Maharao is the perfect place, in case you are looking for peace and solitude. It has beautiful white sand, serene locales and enchanting sunset views.

Kutch Mandvi Beach is the ideal place to have fun and enjoy yourself to the fullest. The beach is just the place for swimming and long walks. Apart from this, horse and camel rides are also quite popular here. Savor sweet coconut or hot brewing tea, while watching the neighboring wind mills. The scintillating blue water, enliven birdlife, pristine beaches and colorful fishing hamlets, present just the right picture of the Mandvi town.

You can also watch wooden ships being made in a nearby dock in the town. But, this is not all. There is much more to the town, which boasts of historical places of princely times. It also offers a plethora of items for shopping, like handicrafts, silverware, shell-work, Kutchi embroideries, Bandhini tie-and-dye saris as well as block prints.

Where does love come from?

Contemporary science tells us that love is built into us. As the great researcher, Allan Schore, proves, we enter the world pre-wired to love the first person who takes care of us. Once an infant is born it works like this. When an infant sees his mother gazing at him with love in her eyes, happy neuro-chemicals flood the infant's brain. The child feels happy. He or she likes this feeling and wants more of it. This sets up an attachment to the source of this good feeling. Since the good feeling comes from mom, the kid starts to love mom. We are genetically set up so that when the brain gets a good dose of those happy-making chemicals, we grow neurons in our brain. These neurons form the basis of our feeling confident in the world. They enable us to create and sustain loving connections with other people.

As we grow into childhood, when we receive the proper emotional attunement from our loved ones, our brains continue to develop and we mature our natural propensity to love and be loved. It is when we get our emotional needs met that we grow the ability to love more and more people in deeper and deeper ways. John Bowlby makes a great case that this built in ability to love is evolutionarily adaptive. That is, it contributes to the survival of our species. Helpless infants and mothers need to be bonded because little babies can't survive without that protection and care. Without love, we do not thrive. Those neurons that grow from love also contribute to the development of our ability to think, feel, create, imagine, act and care for ourselves in the best possible way. Our ability to love and connect is what is natural and adaptive. Our destructive aggressiveness happens when our natural emotional needs for a loving relationship get frustrated.

When we understand that our love is innate, we realize that children are not bad without a moral basis and need to be "trained" and restrained to be obedient. This view that children are evil and need to be broken has justified all kinds of abuse. We now know that this kind of child rearing leaves permanent scars. Instead, if our task as parents is to cultivate the love that already exists in our child by giving love, it makes our job clear. Our children are precious with potentials that need to be nurtured, nourished and lovingly tended.

Our natural ability to love is our common human bond. Mencius, Confucius's disciple, said that every human heart is alike. When we realize this, this becomes our basis for living. Since we are all alike, we must live our lives according to the golden rule, which has been understood in every culture and religion, including the philosophy of Confucius. The Chinese character for this reciprocity, that is, do unto others as you would have them do unto you, is shu, which is a combination of the characters for "heart" and "alike." Its common meaning is forgiveness.

Our central core of loving compassion is what Mencius called heart. This is what he believed defined what it meant to be truly human or humane. This natural empathy, or the ability to feel what others feel, is what Mencius used as the primary proof that man is essentially good. In order to be fully human, we need to cultivate and develop this heart of compassion.

If this is the case, then the best thing we can do for ourselves, the ones closest to us, and for the planet is to develop our ability to love. Certainly, as we understand the great chain of being, it is our love that helps grow love in our children. Though we understand this scientifically today, this wisdom was understood by Confucius and his follower, Mencius, 2500 years ago. Confucius's main concern was human relationship. He understood that we were in alignment with our intrinsic purpose on this planet when we were able to have the best relationship with others.

The Confucians believed that our whole society needed to be built on this principle. Our leaders needed to run the state so that relationships would be in greatest harmony and there would be the ultimate conditions for the realization of love. This is a great model for our own leaders and one we need to encourage them to embrace.

As part of this societal imperative, learning about love needs to be central to our education. 70 years ago, Franklin Roosevelt, after seeing the catastrophe of a world war, said that schools needed to expand from the three R's to four: reading, writing, arithmetic and relationships. He believed that the very survival of the world depended on us learning how better to love and connect through relationship and that it was the responsibility of society at large to provide this direction. In some ways we seem further from this educational goal almost a century later.

This common core of love also means that we do not need to look outside of ourselves for what we seek to become in life. Confucius also said, "the measure of man is man." What this means is that we can all begin where we are, and by developing our best attributes, we can become wise, strong, passionate and optimally loving.

Confucius's idea of this ideal person was captured by the Chinese character, Jen. This character is made up of the characters for "man" and "two," signifying that the measure of an individual is his or her ability for good relationship. The ideal person is one who can connect with others, who can love.

Within each of us is such a fine person, because we can become one, given the proper cultivation. This begins with how we are raised. But once we become grown ups, we need to take over the task of cultivation. We must self-cultivate.

How do we develop our capacity for love and compassion? This is an especially important question because not one of us received the optimal nurturance growing up.

Confucius would say that this begins with tireless self-education. We must explore our great cultural heritage to understand what the pilgrims who have gone before us have learned about love and how to achieve it. We must imagine this ideal, and continue to develop this image so that we have a goal to aim for. We must immerse ourselves in the arts, because this is the food of love.

Finally, our heart of love and compassion is cultivated through our actions, what we do every day. Each day we must practice living up to our highest vision of love. We become more humane - we find our hearts - through giving. To be what we are meant to be, we need to open ourselves and passionately risk all for the sake of loving others.

Science has now joined philosophy and spirituality in understanding that love is our root, answer, and what we are made of. Through a commitment and devotion to a lifetime of self exploration, you must travel within yourself to find the lost and hidden heart, because there you will discover that the source of love is within yourself. That's where love comes from.