It can be run locally or accessed through a browser, making it highly accessible.
Google Gruyere was created by Bruce Leban, Mugdha Bendre, and Parisa Tabriz—the same engineer known as Google's "Security Princess"—as a self-paced, self-contained course that teaches students how attackers exploit web applications and how developers can protect them. The codelab is built around Gruyere, a small but fully-featured microblogging application intentionally packed with security bugs.
, published in September 2025. This paper provides a modern systematic analysis of web security using Gruyere as its primary experimental subject. Key Sections of the Paper Vulnerability Reproduction:
In Gruyere, users can post snippets (micro-blog updates) that support basic HTML. However, the application fails to sanitize the input properly. An attacker can inject a malicious script into a snippet: gruyere learn web application exploits defenses top
Gruyère realized the developers had left the "back door" unlocked. By simply changing a digit in the URL—from user/profile/102 to user/profile/001 —he bypassed all permissions. He was now logged in as the CEO. He had full access to the firm’s defensive strategies, their encryption keys, and their "unhackable" vault. The Twist: The White Hat
Manipulating file path parameters to read internal system files or sensitive server-side source code.
Gruyere allows users to create profiles and upload snippets of text. In its vulnerable state, the application takes user input and renders it directly into the HTML page. It can be run locally or accessed through
Understanding Google Gruyere: A Hands-On Guide to Web Application Vulnerabilities and Defenses
you already know OWASP Top 10 inside out and need advanced (race conditions, deserialization, graphQL) or framework-specific bugs.
XSS occurs when an application includes untrusted data in a web page without proper validation or escaping, allowing attackers to execute malicious scripts in a user's browser. , published in September 2025
Google Gruyere is a deliberately vulnerable web application designed to teach application security basics. It serves as an industry-standard sandbox for developers, testers, and security enthusiasts to learn how attackers exploit web vulnerabilities and how engineers code defenses against them.
Use unique, unpredictable authorization tokens (CSRF tokens) for every state-changing request. Additionally, ensure that actions like deleting data are only performed via POST requests, not GET . 4. Path Traversal & Information Disclosure