Gruyere Learn Web Application Exploits Defenses Top May 2026

A simple login form vulnerable to SQLi and XSS.

Google Gruyere is an intentionally vulnerable web application developed by Google to teach developers and security researchers how to find and fix common security flaws gruyere learn web application exploits defenses top

Cross-Site Scripting (XSS)

Gruyere shows how attackers can manipulate client-side data, such as cookies, to escalate privileges or spoof other users. A simple login form vulnerable to SQLi and XSS

: This flaw allows an attacker to trick a logged-in user into performing unwanted actions on Gruyere, such as changing their password or deleting data, by clicking a malicious link. Path Traversal : Attackers manipulate file paths (e.g., using such as cookies

Limitations and ethical considerations