Google Gruyere is a hands-on web application security codelab designed by Google to teach developers and security researchers how common vulnerabilities are exploited and, more importantly, how to defend against them Google Gruyere Core Learning Objectives
Convert characters like < and > into HTML entities like < and > .
Gruyere shows how attackers can manipulate client-side data, such as cookies, to escalate privileges or spoof other users.
You can create a site that tricks a logged-in user into changing their password or deleting their account without their knowledge. gruyere learn web application exploits defenses top
Users can test how improper sanitization allows them to bypass login forms or extract data from the backend database.
: The goal is to get a logged-in user to delete one of their own snippets without their knowledge. To do this, you can create a malicious HTML page on your own server that automatically submits a request to Gruyere's deletion endpoint. For example, an <img> tag with the src attribute set to https://google-gruyere.appspot.com/123/delete-snippet?id=456 would send a GET request, and the browser would include all of the user's cookies for google-gruyere.appspot.com . If the user is logged in, the snippet will be deleted.
Modern frameworks like React, Angular, or Jinja2 automatically escape variables by default. 2. Cross-Site Request Forgery (CSRF) Google Gruyere is a hands-on web application security
It covers most of the OWASP Top 10 web vulnerabilities.
Gruyere allows users to create profiles and upload snippets of text. In its vulnerable state, the application takes user input and renders it directly into the HTML page.
A top-down learning approach (like the Gruyère model) ensures you understand both attack and defense at each layer. Users can test how improper sanitization allows them
Always sanitize user input and escape output before rendering it in HTML. 2. Cross-Site Request Forgery (XSRF/CSRF)
Access to the code allows you to map exploits directly to vulnerabilities.
The , the industry's gold standard for web application security risks, highlights broken access control, cryptographic failures, and injection flaws as the most critical concerns. Similarly, MITRE's 2025 CWE Top 25 ranks Cross-Site Scripting (CWE-79), SQL Injection (CWE-89), and Cross-Site Request Forgery (CWE-352) as the three most dangerous software weaknesses.