Saturday, May 7, 2011

[G] Google News and the Coverage of Bin Laden

| More

Google News Blog: Google News and the Coverage of Bin Laden

Posted by Krishna Bharat, Founder and Head - Google News

Google News was born in the aftermath of the tragic events of September 11, 2001. An unprecedented act of terrorism on U.S. soil, by a foreign militant group led by Osama Bin Laden, changed the course of history. People around the world were trying to comprehend what had just happened, and its implications to public safety, foreign policy, financial markets, and their own lives. Much of that exploration happened online.

At Google we realized that our ability to display links to the freshest and most relevant news was limited by a fundamental problem: fresh news lacked hyperlinks. Google’s ranking depended on links from other authors on the web. Fresh news, by definition, was too fresh to accumulate such links. A new importance signal was needed.

I realized that if Google could compute how many news sources were covering the underlying story at a given point in time, we could then estimate how important the story was. Thus, “Storyrank” was invented. This insight led to a ranking that combined the editorial wisdom of many editors on the web in real time. In addition to making search better it led to Google News - a display of stories in the news ranked automatically by an algorithm. This also allowed us to group news articles by story, thus providing visual structure and giving users access to diverse perspectives from around the world in one place.

After 10 years Mr. Bin Laden is in the news again. The story of the killing of Bin Laden has taken the online world by storm. This time, relevant coverage from around the world is just a click away, in an automatically compiled Google News cluster with more than 80,000 sources.

We have certainly come a long way in the last decade. Indeed, Google News now has over 70 editions in over 30 languages, and sends over 1 billion clicks a month to news publishers worldwide. Additionally, 1 out of 6 web searches on Google includes a set of news results, which are computed with the help of Storyrank. This helps bring coverage of the most important news story matching the query to the top of the ranking.

In the last 10 years there has been a lot of learning, iteration, and innovation in our team. And most importantly, we have acquired a loyal audience of news enthusiasts, who appreciate diversity and the ability to access multiple points of view on a story. To our users we would like to say “Thank You!”

We wanted to share with you some of the news coverage of the death of Bin Laden. Here is a sample of 100 links to news articles from representative sources worldwide:

ABC News - Abril - Agenzia Giornalistica Italia - - Associated Press - Atlanta Journal Constitution - Baltimore Sun - BBC News - Billboard - Bloomberg - Boston Globe - Boston Herald - BusinessWeek - - CBS News - CBSSports - Chicago Sun-Times - Chicago Tribune - Christian Science Monitor - CNET - CNN - Computerworld - Corriere della Sera - Dallas Morning News - - Detroit Free Press - E! Online - El Pais (Colombia) - El Paí­s (España) - El Universal (Venezuela) - ESPN - Forbes - Fox News - Globe and Mail - Ha'aretz - Hindustan Times - Huffington Post - InformationWeek - Jerusalem Post - Jewish Telegraphic Agency - Kansas City Star - La Repubblica - La Stampa - Le Point - Los Angeles Times - MarketWatch - - MSNBC - MTV - National Geographic - National Post - NDTV - New York Daily News - New York Times - New Yorker - Newsday - Newsweek - NFL News - NPR - NZZ Online - O Globo - PC Magazine - PCWorld - People Magazine - Philadelphia Inquirer - Politico - Reuters - RollingStone - Salt Lake Tribune - San Francisco Chronicle - San Jose Mercury News - Seattle Post Intelligencer - - Slate Magazine - Spiegel Online - Sydney Morning Herald - - The Atlantic - The Economist - The Guardian - The Hindu - TIME - Times of India - Toronto Sun - U.S. News & World Report - Us Magazine - USA Today - Vancouver Sun - Vanity Fair - Voice of America - Wall Street Journal - Washington Post - WELT ONLINE - Wired News - Yahoo! Sports - ZDNet - الجزيرة - العربية نت - 朝日新聞 - 読売新聞

For those you who enjoy digging into data, here is a much larger list of over 150,000 links to news articles mentioning Osama Bin Laden over the last 5 days (May 1-5, 2011).

One of the many lessons I learned from 9/11 is that the world is highly connected. We live in a global society crisscrossed by virtual and physical dependencies, where knowledge is power and ignorance has consequences. This is a world where knowing what is happening to people in other parts of world, and understanding their circumstances and beliefs, matters more than ever -- because their actions will ultimately affect our lives. Tools such as Google News, which bring order to information and make search smarter can help us cope with the complexity of news and understand the big picture.

Further, as the wave of revolutions in North Africa demonstrates, online information does not merely reflect world events -- it can even cause them. These are indeed exciting times for those of us who work in the news space and get to witness the impact of journalism on society first hand!

Friday, May 6, 2011

[G] This week in search 5/6/11

| More

Official Google Blog: This week in search 5/6/11

This is part of a regular series of posts on search experience updates that runs on Fridays. Look for the label "This week in search" and subscribe to the series. - Ed.

This week, you can get live stock quote updates, check out the top 40 doodles designed by incredibly creative students around the U.S. and visualize what one day of searches on Google looks like around the world.

Live streaming updates for stock quotes
When you search for a ticker symbol on, you’ll immediately see financial information right on the results page, but you used to have to refresh the page to get updated stock quotes. Now, you no longer have to refresh the entire page to see the latest price; instead you’ll see live streaming updates of that stock quote. For some markets, including the NASDAQ and NYSE, these quotes represent the latest real-time market data (be sure to read our disclaimer about real-time data).

The updates will appear in green or red as the stock price rises or falls.

U.S. Doodle 4 Google top 40 finalists announced
The judging results are in! The 40 student finalists in this year's Doodle 4 Google competition were announced this week and online voting opened to the public. With more than 107,000 submissions, the creativity of the K-12 students that participated was remarkable. Be sure to vote for your favorite doodle between now and May 13 at 11:59pm PDT. The student that wins will receive a $15,000 college scholarship and a $25,000 technology grant for their school, and see their artwork appear on the homepage on May 20.

Search Globe visualizes searches around the world
When you’re searching on Google, people all over the globe are searching at the same time, in hundreds of different languages. With the new Search Globe, you can see what one day of Google searches around the world looks like. The height of the bars depicts search volume in that region, and each different color represents the language of the majority of queries in an area. Because of the 3D graphics, you need a WebGL-enabled browser, like Google Chrome, to see the Search Globe.

Enjoy your weekend, and remember to keep your search skills sharp by trying to solve today’s A Google a Day question at

Posted by Johanna Wright, Director, Search Product Management

[G] Google moms share tech tips for your family

| More

Official Google Blog: Google moms share tech tips for your family

As a Googler I often take my work home with me—in a good way. With two young boys at home, life is always busy, so my husband and I are always looking for ways to save time, get organized and enrich our lives in simple ways. Because the products I beta test and use in the office have become an integral part of my own family life, for Mother’s Day this weekend I’d like to share some favorite tips, including a few from other Googler parents.

Capturing and sharing memories
  • Instead of keeping 500 crayon masterpieces, store digital photos of all your kids’ artwork in Picasa Web Albums
  • Collect trip or party photos in one place by letting all of your paparazzi upload their snapshots to a collaborative online album
  • Tag friends and family in Picasa photos so you can easily create and share personalized collages, gift CDs/DVDs or movie slideshows
  • Use Picnik to edit your Picasa Web Albums photos. Use the “Create” tab to add text, stickers, frames and other effects to your photos—your kids can help, and you can email them as digital cards to distant relatives
  • Safely share home videos with family by inviting them to view a private YouTube video
  • Keep a running family history by encouraging relatives around the world to contribute stories and biographies in a shared Google doc or blog
Communicating and entertaining
  • Video chat through Gmail for free with long-distance grandparents and friends—this is also great for connecting kids with their parents when traveling
  • Entertain kids on the run with kid-friendly YouTube channels—like Sesame Street and School House RockAndroid apps or your own photos and videos on your mobile phone (kids love watching themselves!)
  • Have your kids help you create a video card or a cartoon on YouTube
  • Explore the world from the couch—fly around Google Earth on your mobile phone or tablet
  • On camping trips, use Sky Map to explore and name constellations. You can even travel back in time to show your kids what the sky looked like on the day they were born
  • Read the classics—like Anne of Green Gables, The Wind in the Willows and Grimm’s Fairy Tales—for free from Google eBooks; for older kids, many books that are required reading for school are also free. Google eBooks are accessible and readable on devices your family probably already has—like laptops or smartphones
My son Kai chatting with his dad while on a business trip

Organizing and planning
I hope these tips inspire moms (and dads) to celebrate your family this weekend. Here’s hoping you can save time and energy to focus on having fun with your kids!

Posted by Cathy Cheng, Webmaster Manager and proud mom of Kai (3 years) and Jin (10 months)

[G] This week's Trends: major news, proms, and the dougie

| More

YouTube Blog: This week's Trends: major news, proms, and the dougie

Each weekday, we at YouTube Trends take a look at the most interesting videos and cultural phenomena on YouTube as they develop. We want take a moment to highlight some of what we've come across this week:

  • We tracked the reaction across the country following the President's address on the death of Osama bin Laden.

  • We studied how President Obama's correspondents' dinner remarks were the most watched ever on YouTube.

  • We catalogued 10 different, creative, and funny ways high school students asked each other to prom.

  • We looked into the the history of "the dougie" through YouTube searches.

  • We saw how college kids are celebrating finals week with flash mob dances.

  • And this "ultimate dog tease" became one of the week's most-shared clips:

Check back every day for the latest about what's trending on YouTube at:

Kevin Allocca, YouTube Trends Manager, recently watched "Shower Dudes - Wanton Song."


[G] You old romantics you…72 million live streams in 188 countries for the Royal Wedding on YouTube

| More

YouTube Blog: You old romantics you…72 million live streams in 188 countries for the Royal Wedding on YouTube

The Duke and Duchess of Cambridge are YouTube's newest megastars. Though half the globe was still in darkness, YouTube users from across the world got wedding fever for the Royal Household's official live stream of the landmark wedding on The Royal Channel.

The Royal Wedding was live streamed 72 million times around the world to 188 countries. Those who didn’t see it live still had an opportunity to don their fascinators and catch up with the re-broadcasts later in the day. When it was all said and done, the total streams on April 29, 2011 reached 101 million as romantics around the globe tuned in to watch the fairytale ceremony, the procession and the final balcony kiss.

And what a kiss it was…during the 10 seconds around the highly-anticipated Royal kiss, the YouTube channel site, powered by Google App Engine, experienced an additional 100,000 requests on top of the already high load … an effective additional 10,000 requests per second.

Live streams were highest in the UK and the US, but looks like love was in the air across the channel as well. The top 5 countries viewing the live event online were:
  1. United Kingdom
  2. United States
  3. Italy
  4. Germany
  5. France

The online excitement extended to The Official Royal Wedding website. Since the launch on March 2, there have been approximately 37.7 million page views from 13.7 million visitors to the site, which was hosted on Google App Engine and built by Accenture.

The entire live stream of the Royal Wedding, along with video highlights can be found on The Royal Channel.

Congratulations to The Duke and Duchess of Cambridge!

Rachel Ball, partner development associate, recently watched “Best Wishes from Mr. McGrail's United States History Class.”


Thursday, May 5, 2011

[G] Google Earth optimized for Android-powered tablets

| More

Official Google Mobile Blog: Google Earth optimized for Android-powered tablets

Cross-posted from the Official Google Blog

When we launched Google Earth in 2005, most of us were still using flip phones. At the time, the thought of being able to cart around 197 million square miles of Earth in your pocket was still a distant dream. Last year, that dream came to fruition for Android users when we released Google Earth for Android. With the recent release of tablets based on Android 3.0, we wanted to take full advantage of the large screens and powerful processors that this exciting new breed of tablets had to offer.

Today’s update to Google Earth for Android makes Earth look better than ever on your tablet. We’ve added support for fully textured 3D buildings, so your tour through the streets of Manhattan will look more realistic than ever. There’s also a new action bar up top, enabling easier access to search, the option to “fly to your location” and layers such as Places, Panoramio photos, Wikipedia and 3D buildings.

Moving from a mobile phone to a tablet was like going from a regular movie theatre to IMAX. We took advantage of the larger screen size, including features like content pop-ups appearing within Earth view, so you can see more information without switching back and forth between pages.

One of my favorite buildings to fly around in Google Earth has always been the Colosseum in Rome, Italy:

With the larger tablet screen, I can fly around the 3D Colosseum while also browsing user photos from Panoramio. The photos pop up within the imagery so I can interact with them without losing sight of the Colosseum and its surroundings. Also, by clicking on the layer button on the action bar, I can choose which layers I want to browse.

This version is available for devices with Android 2.1 and above. The new tablet design is available for devices with Android 3.0 (Honeycomb) and above. Please visit the Google Earth help center for more information.

To download or update Google Earth, head to in your device’s browser or visit Android Market. Enjoy a whole new world of Google Earth for tablets!

Posted by Peter Birch, Product Manager

[G] Google Voice and Sprint integration is live

| More

Official Google Mobile Blog: Google Voice and Sprint integration is live

Cross-posted from the Google Voice Blog

It’s official, the Google Voice integration with Sprint is now live!

As we mentioned when we first announced the integration, there are two ways to bring Google Voice to your Sprint mobile phone:

Option 1: Keep your Sprint number: Your Sprint number becomes your Google Voice number so that when people call your Sprint mobile number, it rings all the phones you want.

Option 2: Replace your Sprint number with your Google Voice number: All calls made and texts sent from your Sprint phone will display your Google Voice number.

In both cases, Google Voice replaces Sprint voicemail and international calls made from the Sprint phone will be connected by Google Voice.

For detailed instructions on how to get started with either option, visit

This integration is currently only available to Sprint customers in the United States.

Posted by Patrick Moor, Software Engineer

[G] Security first: How Google Apps security helped our customers go Google

| More

Official Google Enterprise Blog: Security first: How Google Apps security helped our customers go Google

At Google, two things that are important to us are hearing directly from customers and designing and building applications with data protection features in mind.

Today, we get the pleasure of combining the two as we host a Google Apps Customer Advisory Forum focused on security and compliance. These forums are one of the many ways that we interact with customers, share our plans, discuss their priorities and together help shape the future of Google Apps. Customers will share why the security and compliance features of Google Apps led them to Go Google, and how we can further enhance our products in these areas.

Many of the security and data protection measures in Google Apps are outlined in our security white paper. We’re the first major cloud provider to offer 2-step verification, default https encryption, attachment viewing and mobile device management in the browser, and many other security and administrative capabilities.

For additional information about the security and privacy of Google Apps, please visit our Google Apps Trust site where you can see a video that highlights the data protections that are in place in our data centers.

Posted by Adam Swidler, Sr. Manager, Google Enterprise

[G] Live webinar: The evolution of commerce and how you can capitalize

| More

Official Google Enterprise Blog: Live webinar: The evolution of commerce and how you can capitalize

The retail landscape is evolving as new technologies provide additional ways to discover and purchase products. Mobile devices, for example, are fundamentally changing how consumers shop by facilitating product discovery, the reading of reviews, and more – all on the fly. Online shopping is also expanding as a result of technologies like Google Product Search and the Shopper mobile app, two of many new channels which drive traffic to both desktop and mobile sites.

In a March 2011 research study conducted by ROI Research, 49% of mobile searchers made a mobile purchase in the past six months, with 82% of respondents using mobile search to find an online retailer. Understandably, more and more retailers are not only improving their desktop site, but also creating distinct mobile experiences.

Join us tomorrow for a special look at innovations in e-commerce like the ones mentioned above. We’ll share our observations and a few ways you can increase conversion by bringing the latest in online retailing to your site.

When: Thursday, May 5, 2011 at 11:00 AM PT/2:00PM ET
Who: Nitin Mangtani, Group Product Manager for Google Commerce
Nancy Miller, VP of Internet and Development for Woodcraft Supply
Register now

We hope you'll join us, and also check out some of the other retail events we’re hosting in Santa Monica and New York.

Posted by Guillaume De Zwirek, Google Commerce Team

[G] AdWords Editor Version 9.0 released today

| More

Inside AdWords: AdWords Editor Version 9.0 released today

Today we’re releasing AdWords Editor Version 9.0, with a number of new features designed to help you make changes across accounts more efficiently and manage new ad features, such as Ad Sitelinks and high-end mobile targeting, at scale. We’ve highlighted key changes below. More details are available in the AdWords Editor Version 9.0 release notes.

AdWords Editor Version 9.0 highlights:

Scalably manage Ad Sitelinks
Version 9.0 provides full support for Ad Sitelinks, including downloading and uploading to your account, making edits, checking changes, and importing and exporting.

Improved Add/Update Multiple and Import CSV tools

When entering new data using the Add/Update Multiple tool, you can now enter your data with the columns in any order, assign the appropriate headers to each column, select the option to remember the order of your columns for your next import, and approve or cancel the changes in the account in one click. In addition, Import CSV now includes the option to Paste Text as well as to import From File.

Set high-end mobile targeting options

AdWords Editor now supports the ability to set campaigns to target high-end mobile devices (including Android, iPhone, iPad, and Palm) and carriers in Campaign Settings.

Better manage multiple accounts and MCCs
To help you better manage multiple accounts, AdWords Editor now offers sort and search for accounts, select and remove multiple accounts, and a new dropdown menu above the Account tree in AdWords Editor that displays recently accessed accounts, so you can quickly switch to any one of them.

In addition, when adding an MCC account to the Add New AdWords Account dialog, you can search within the list of available child accounts, display extra columns, and move up to a different level in the MCC account hierarchy.

More easily find and make bulk changes to negative keywords, placements, or audiences

To more easily locate and manage negative keywords, placements, or audiences in your account, we’ve changed the way we display Negatives in AdWords Editor. The Negatives tab has been removed, and you can instead toggle between displaying negative or positive keywords, placements, or audiences by clicking the Positives or Negatives switch on each item’s respective tab.

The Select Duplicates button is now available for negative keywords when in the Duplicate keywords view mode.

The next time you log into your AdWords Editor account, you'll be prompted to upgrade. You may also download Version 9.0 from the AdWords Editor website. After you install the new version of AdWords Editor, your accounts will need to be downloaded again. To preserve your comments and unposted changes, select the Backup then Upgrade option in the automatic upgrade prompt and save the backup file to your computer. Then, re-download your account and import the backup file to AdWords Editor.

For more information, check out the release notes and visit the AdWords Editor Help Center.

Posted by Nathania Lozada, Inside AdWords crew

[G] Upcoming AdWords policy changes to better protect people’s personal and financial information

| More

Inside AdWords: Upcoming AdWords policy changes to better protect people’s personal and financial information

AdWords should be a safe, fair, and trusted marketplace for both you and the users who click on your ads. That’s why many AdWords policies focus on transparency, user safety, and security.

On May 17th, we’ll be adding three requirements to our existing AdWords policies that cover disclosure and usage of personal information. These requirements will apply everywhere AdWords is available.

If your site requests payment, financial, or personal information from visitors, please review the new requirements and make any needed changes to avoid having your ads suspended.
  1. Clear, accessible disclosure before visitors submit personal information
    Our existing policy requires you to clearly describe how any personal information you solicit will be used. Soon, we’ll require that your description must also be easily accessible before site visitors submit their details.
  2. Option to discontinue direct communications
    In the same description of how personal information will be used, you’ll also be required to describe how people can opt out of future emails, phone calls, or other direct communications.
  3. SSL when collecting payment and certain financial and personal information
    Many websites use what are known as Secure Sockets Layer (SSL) connections to encrypt sensitive information that travels between the user's browser and the website's servers. To help ensure user safety, AdWords policy will require all advertisers to use SSL when collecting payments and certain financial and personal information (like bank account and social security numbers).
For more details, check out the following resources:
To stay current on all AdWords policy changes, please visit the AdWords Policy Change Log.

Posted by Dan Friedman, Inside AdWords crew

[G] Linux File Systems in the Cloud @ Linux Collaboration Summit 2011

| More

Google Open Source Blog: Linux File Systems in the Cloud @ Linux Collaboration Summit 2011

As tech lead of the Google Linux Storage Team I get to see how Linux runs on tens of thousands machines in Google's cloud. Over the last year our team migrated this super system from ext2 to ext4, an educational and exciting experience to say the least. We learned a lot about the impact of the Linux file system on Google.

Our team is often bombarded with questions from both within and outside of Google about why we chose ext4, and if the local file system even matters. The Linux Collaboration Summit with its audience of both kernel hackers and business folks interested in Linux deployments seemed like a good forum at which to present on this topic.

So with a lot of help from my team I put together a talk that covers a range of topics. The talk includes how cloud storage is different than both local and enterprise, our reasons behind choosing ext4 and the impact, and where the file systems need to improve to meet the demands of the cloud.

If you are interested in Linux, storage, clouds and some internal tales you might want to check it out.

By Michael Rubin, Google Engineering


[G] Google I/O 2011

| More

Google Open Source Blog: Google I/O 2011

Google I/O, Google’s largest annual developer conference, will take place May 10-11 in San Francisco at the Moscone West Convention Center. Many of the tracks will feature open source products: Android, Google Web Toolkit, Google Chrome, and several Google APIs.

Open Source Program Manager Chris DiBona will be hosting a Fireside chat with the Android team on Tuesday, May 10th from 2:30-3:30pm. Earlier that day, Open Source Team Member Josh Bloch will be presenting “Java Puzzlers - Scraping the Bottom of the Barrel” from 1:15-2:15pm. Check the recently announced Google I/O full schedule for more detailed information on this year’s sessions.

The event is completely sold out, but you can watch live streaming video of both keynote presentations on the Internet. New this year is Google I/O Extended, which gives developers who are unable to attend Google I/O the opportunity to watch the keynote and other major sessions live with their peers at free viewing parties around the world. For more Google I/O updates, check @googleio.

By Stephanie Taylor, Open Source Programs


[G] Convert to HTML5 and WebM with Zencoder

| More

The WebM Open Media Project Blog: Convert to HTML5 and WebM with Zencoder

Today's guest post is from Jon Dahl, CEO and co-founder of Zencoder.

Zencoder is a cloud service for video encoding. Through a simple API, we provide high-performance, high-quality video encoding for web and mobile, at any scale, small or large. Our customers range from broadcast media to online video publishers to UGC websites.

At Zencoder, we encourage our content publishers to support HTML5 video. Though HTML5 video is relatively new, it's now playable by more than 50% of Internet users, and that number is growing quickly.

We are committed to open technology and believe that WebM is the way forward for open video. Our open-source HTML 5 video player, VideoJS, makes it easy to play WebM content in web browsers and mobile devices--but WebM encoding is needed too.

That's why, starting today, Zencoder is offering promotional pricing on WebM encoding. Until June 5th, 2011, all WebM encoding will be billed at 50% off of our published prices ($0.02-$0.05 per minute of video).

We also want to make it easy for publishers to convert large content collections to WebM, so we're also launching a new batch video encoder. This service makes it easy to transcode entire content libraries to WebM, but also to HD or for HTTP adaptive streaming.

In the coming year, more publishers will want to offer WebM support, and we hope Zencoder can help them make a seamless entry into the world of open video.

[G] Website Security for Webmasters

| More

Google Online Security Blog: Website Security for Webmasters

Posted by Gary Illyes, Webmaster Trends Analyst

(Cross-posted from the Webmaster Central Blog)

Users are taught to protect themselves from malicious programs by installing sophisticated antivirus software, but they often also entrust their private information to various websites. As a result, webmasters have a dual task to protect both their website itself and the user data that they receive.

Over the years companies and webmasters have learned—often the hard way—that web application security is not a joke; we’ve seen user passwords leaked due to SQL injection attacks, cookies stolen with XSS, and websites taken over by hackers due to negligent input validation.

Today we’ll show you some examples of how a web application can be exploited so you can learn from them; for this we’ll use Gruyere, an intentionally vulnerable application we use for security training internally, and that we introduced here last year. Do not probe others’ websites for vulnerabilities without permission as it may be perceived as hacking; but you’re welcome—nay, encouraged—to run tests on Gruyere.

Client state manipulation - What will happen if I alter the URL?

Let’s say you have an image hosting site and you’re using a PHP script to display the images users have uploaded:

So what will the application do if I alter the URL to something like this and userpasswords.txt is an actual file?

Will I get the content of userpasswords.txt?

Another example of client state manipulation is when form fields are not validated. For instance, let’s say you have this form:

It seems that the username of the submitter is stored in a hidden input field. Well, that’s great! Does that mean that if I change the value of that field to another username, I can submit the form as that user? It may very well happen; the user input is apparently not authenticated with, for example, a token which can be verified on the server.
Imagine the situation if that form were part of your shopping cart and I modified the price of a $1000 item to $1, and then placed the order.

Protecting your application against this kind of attack is not easy; take a look at the third part of Gruyere to learn a few tips about how to defend your app.

Cross-site scripting (XSS) - User input can’t be trusted

A simple, harmless URL:'0wn3d')%3C/script%3E
But is it truly harmless? If I decode the percent-encoded characters, I get:

Gruyere, just like many sites with custom error pages, is designed to include the path component in the HTML page. This can introduce security bugs, like XSS, as it introduces user input directly into the rendered HTML page of the web application. You might say, “It’s just an alert box, so what?” The thing is, if I can inject an alert box, I can most likely inject something else, too, and maybe steal your cookies which I could use to sign in to your site as you.

Another example is when the stored user input isn’t sanitized. Let’s say I write a comment on your blog; the comment is simple:
<a href=”javascript:alert(‘0wn3d’)”>Click here to see a kitten</a>

If other users click on my innocent link, I have their cookies:

You can learn how to find XSS vulnerabilities in your own web app and how to fix them in the second part of Gruyere; or, if you’re an advanced developer, take a look at the automatic escaping features in template systems we blogged about previously on this blog.

Cross-site request forgery (XSRF) - Should I trust requests from

Oops, a broken picture. It can’t be dangerous--it’s broken, after all--which means that the URL of the image returns a 404 or it’s just malformed. Is that true in all of the cases?

No, it’s not! You can specify any URL as an image source, regardless of its content type. It can be an HTML page, a JavaScript file, or some other potentially malicious resource. In this case the image source was a simple page’s URL:

That page will only work if I’m logged in and I have some cookies set. Since I was actually logged in to the application, when the browser tried to fetch the image by accessing the image source URL, it also deleted my first snippet. This doesn’t sound particularly dangerous, but if I’m a bit familiar with the app, I could also invoke a URL which deletes a user’s profile or lets admins grant permissions for other users.

To protect your app against XSRF you should not allow state changing actions to be called via GET; the POST method was invented for this kind of state-changing request. This change alone may have mitigated the above attack, but usually it's not enough and you need to include an unpredictable value in all state changing requests to prevent XSRF. Please head to Gruyere if you want to learn more about XSRF.

Cross-site script inclusion (XSSI) - All your script are belong to us

Many sites today can dynamically update a page's content via asynchronous JavaScript requests that return JSON data. Sometimes, JSON can contain sensitive data, and if the correct precautions are not in place, it may be possible for an attacker to steal this sensitive information.

Let’s imagine the following scenario: I have created a standard HTML page and send you the link; since you trust me, you visit the link I sent you. The page contains only a few lines:
<script>function _feed(s) {alert("Your private snippet is: " + s['private_snippet']);}</script><script src=""></script>

Since you’re signed in to Gruyere and you have a private snippet, you’ll see an alert box on my page informing you about the contents of your snippet. As always, if I managed to fire up an alert box, I can do whatever else I want; in this case it was a simple snippet, but it could have been your biggest secret, too.

It’s not too hard to defend your app against XSSI, but it still requires careful thinking. You can use tokens as explained in the XSRF section, set your script to answer only POST requests, or simply start the JSON response with ‘\n’ to make sure the script is not executable.

SQL Injection - Still think user input is safe?

What will happen if I try to sign in to your app with a username like
JohnDoe’; DROP TABLE members;--

While this specific example won’t expose user data, it can cause great headaches because it has the potential to completely remove the SQL table where your app stores information about members.

Generally, you can protect your app from SQL injection with proactive thinking and input validation. First, are you sure the SQL user needs to have permission to execute “DROP TABLE members”? Wouldn’t it be enough to grant only SELECT rights? By setting the SQL user’s permissions carefully, you can avoid painful experiences and lots of troubles. You might also want to configure error reporting in such way that the database and its tables’ names aren’t exposed in the case of a failed query.
Second, as we learned in the XSS case, never trust user input: what looks like a login form to you, looks like a potential doorway to an attacker. Always sanitize and quotesafe the input that will be stored in a database, and whenever possible make use of statements generally referred to as prepared or parametrized statements available in most database programming interfaces.

Knowing how web applications can be exploited is the first step in understanding how to defend them. In light of this, we encourage you to take the Gruyere course, take other web security courses from the Google Code University and check out skipfish if you're looking for an automated web application security testing tool. If you have more questions please post them in our Webmaster Help Forum.