Re: GWT RPC call recognized as a Java Method Injection by Fortiweb

On Friday, July 21, 2023 at 11:38:59 AM UTC+2 petr...@o3enterprise.com wrote:

We have one deployment of a GWT app where there is a Fortiweb firewall that blocks every GWT RPC call because it recognizes every call as a Java Method Injection attack. This seems to be caused by the presence of the pattern "java.lang." in the messages from the client to the server like the following:

7|0|7|https://host/app/app_gui/|BD9331DABCA5012FC56F3600DF03415F|com.app.gui.client.Bridge|getClientConfiguration|java.lang.St ring/2004016611|john|ADMINISTRATOR|1|2|3|4|2|5|5|6|7|

My idea is to convince the firewall administrator that these are false-positives as these calls are part of the GWT RPC mechanism that does not allow arbitrary java code execution on the server side.

Is my reasoning correct or am I not worried enough?

Your reasoning is correct. But you can also obfuscate type names to prevent triggering the WAF: https://github.com/gwtproject/gwt/blob/main/user/src/com/google/gwt/user/RemoteServiceObfuscateTypeNames.gwt.xml 

(disclaimer: I haven't used RPC for more than 10 years)

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/40bf5948-5d59-4d47-8686-7b1db98e80fdn%40googlegroups.com.