Gruyere Learn Web Application Exploits Defenses Top ((hot)) ⚡

Secure session management

The primary defense is output encoding/escaping . Never trust user input. Use a context-aware sanitization library. In fact, Gruyere itself comes with a sanitize.py module meant to protect the application. You can examine its code to see a real-world attempt at an HTML sanitizer and then attempt to fix or rewrite it as a more advanced exercise. gruyere learn web application exploits defenses top

Safe use of system functions and file handling Secure session management The primary defense is output

Even if one defense fails (e.g., WAF missed SQLi), parameterized query stops it. If developer forgot encoding, CSP still blocks script execution. That’s the Gruyère advantage. In fact, Gruyere itself comes with a sanitize

Path traversal (also called directory traversal) occurs when a program constructs a file path name using input from the user, resulting in access to an unintended file. Attackers inject sequences like ../ (dot-dot-slash) into file path parameters to navigate outside the application's root directory.

Command Injection and File Inclusion

This guide will guide you through the top vulnerabilities you can learn using Gruyere and how to defend against them. What is Gruyere?