Wednesday, September 29, 2010

Re: Vulnerabilities in GWT applications

Hi,

First let us clarify what "GWT App" may mean:

a) the browser part compiled to JavaScript
b) The server part, still running in Java
overall app mean a) + b)

a) is always untrustable. Any attackers could substitute the client by
anything he/she likes.
Even when you deliver the best secured browser client, it does not
increase the security of your overall app.

b) GWT-RPC does some automatic improvements, however, you must check
any input because there is no guaranty to come from a trusted and
honest source.
However, server side is still java, any java techniques for security
may apply. This is hardly a GWT topic.

I don't think there is an automatic way the find vulnerabilities.
Without understanding classical attack vectors and a great inspiration
of finding potential new ones, you won't increase security.
This will always be a manual task for a human being.

When you need a second pair of professional eyes, you may contact me.
Your site is one hour from my site.

Stefan Bachert
http://gwtworld.de


On 28 Sep., 13:29, Basdl <b...@cirosec.de> wrote:
> Hello,
>
> I'd like to find vulnerabilities in my GWT applications.
> Thus, I prepared an example application with SQL injection
> and cross-site scripting holes.
> Now I want to find these holes with automatic tests.
> In my opinion, a static analysis is a reasonable way to do this.
> At (manually) searching the generated javascript, I located
> my variables in the first script-tag in the body and the
> corresponding function in the 18th script tag.
>
> Now I have the following questions:
> - Is there a documentation of the GWT compiler available,
>   that shows how the java source is translated into javascript?
>   Hence, I could inspect only the part of the javascript
>   that is related to my self-coded java and not to the framwork.
> - How can I identify standard parameters and functions (to skip them)?
> - Does anyone know a better solution to find the described
> vulnerabilities?
> - Do you have some hints to perform such a security analysis?
>
> Thanks in advance

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

No comments:

Post a Comment