Re: Reg: Service URL manipulation in the request payload

On Thursday, October 12, 2023 at 10:14:01 AM UTC+2 paulraj...@gmail.com wrote:

Hello Team,

I've a question on GWT RPC request payload. We know that request payload has service URL along with other data pertains to the remote method.

the testing team is using burb tool to manipulate the payload and giving a different URL like instead of www.mydomain.com, if we give 'www.google.com'.

1. Would the request be routed to google.com DNS server since the payload has ? 

2. Does GWT RPC make any DNS call to this manipulated URL while processing the request from client ?

3. With manipulated URL in the payload,  Does the request still reach the actual/original endpoint of the service (remote servlet) ?

To my knowledge, the URL in the request payload is not used for invoking the remote method, it is just for reference purpose only.

See details in https://docs.google.com/document/d/1eG0YocsYYbNAtivkLtcaiEE5IOF5u4LUol8-LL0TIKU/edit#heading=h.tgrvjl8bdel

The URL is parsed (https://github.com/gwtproject/gwt/blob/88bc805b563396704d660470240fc6b5eef0533a/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java#L60) but not resolved.

(that moduleBaseUrl value is read at https://github.com/gwtproject/gwt/blob/88bc805b563396704d660470240fc6b5eef0533a/user/src/com/google/gwt/user/server/rpc/impl/ServerSerializationStreamReader.java#L497)

tl;dr: the scheme and authority (and any query string) are actually ignored, and only the path part of the URL is used. The pair of path + the next value in the request payload are used to load the serialization policy used to process the rest of the request. Worst that could happen is a failure to load the serialization policy and falling back to the default serialization policy which would likely cause deserialization of the request (or serialization of the response) to fail.

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/78abad7d-c402-4695-a005-ab64fb662591n%40googlegroups.com.