Despite being over a year old now, Gruyere (the google web-app), still rings true today.
Gruyere attempts to teach through hands-on exercises of exploitation and the required associated fix. You are thrown into a isolated environment on the Google app-engine and provided with simple features including the ability to create a login.
Gruyere covers some important subjects made a lot more digestible by providing a live example of the specific exploit. One subject in particular is that of “Path Traversal“, it’s rare to come across this in the wild and hadn’t thought about in a while, a nice refresher.
Fixes are provided in Python, although rare to find that in popular use, it does provide an easy to read code explanation for fixes.
All in all Gruyere from Google Labs is a brilliant tool for teaching how penetration testing actually works. Equally, proves a useful tool for what-not-to-do when building a web-app; highlighting that irrespective of how few features one app might have, it is probably full of holes.