Include a unique, unpredictable token in every state-changing request (like POST or DELETE). The server validates this token before processing the request.
While advanced, Gruyere touches on modern headers. You will learn to send a header like: Content-Security-Policy: script-src 'self' This tells the browser: "Do not execute any inline JavaScript or scripts from external domains." This kills almost all XSS attacks. gruyere learn web application exploits defenses top
: Forcing users to perform unwanted actions without their knowledge. Data & Access Flaws You will learn to send a header like:
Gruyere allows users to upload profile pictures and references them via a filename parameter. The exploit: ../../../../etc/passwd . The Impact: Reading sensitive system files, source code disclosure. The Defense: Use a secure allow-list of file extensions. Normalize the path using os.path.realpath and verify the final path starts inside the intended base directory. The exploit:
Gruyere allows users to create a profile where they can enter a biography ("About Me") and upload a profile picture (icon). The intention is to let users express themselves, similar to Facebook, LinkedIn, or any modern web app.
CSRF forces an authenticated user to perform an action they did not intend to perform, exploiting the trust a website has in the user's browser.