Tuesday, June 29, 2010

Re: Soliciting approaches for GWT and XSS-prevention

On 29 juin, 07:37, Sripathi Krishnan <sripathi.krish...@gmail.com>
> With GWT, you are isolated to the following attack vectors -
>    1. Using native eval()
>    2. Using setInnerHTML() methods
>    3. Using non-gwt javascript code/thirdparty js libraries
>    4. XSS on the host html/jsp page
> Check-list to prevent XSS for GWT applications -
>    - Don't EVER use eval() directly. There is hardly ever a need to use it.
>    Remember - eval is evil.

... but note that JSONParser and JsonUtils *do* use eval() to "parse"
This is being worked on though: http://gwt-code-reviews.appspot.com/86803/show

>    - Avoid using setInnerHTML directly. UIBinder should take care of 80-90%
>    of your use cases. When you must use it, be careful to html escape any data.
>    Standard HTML encoding apply - refer to OWASP's xss
> cheatsheet<http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_...>for
> more information.

Ray Ryan talked about "Safe HTML" at I/O, which should be integrated
into GWT proper at some point in time, but for now can be found on the
WaveProtocol project:
It's just a helper for building HTML fragments where some parts come
from untrusted sources.

>    - Avoid using external JS. If you have to, use a trusted library, or be
>    prepared to review the code
>    - Use GWTs RPC - it will help you avoid XSS. If you cannot use RPC and
>    are forced to use JSON/JSONP - use a safe JSON Parser. Search GWT forum -
>    you will find a thread that discusses safe JSON Parsing. Additionally, the
>    server that is generating JSON can take care to encode the data (this would
>    need to follow javascript escaping rules described in OWASP's cheatsheet)

See above, I guess the JSONParser/JsonUtils improvements are targeted
at GWT 2.1

>    - You will have to take care of encoding data to avoid XSS on the host
>    html/jsp. This has nothing to do with GWT - and the techniques described on
>    OWASPs website/Internet are good enough for this purpose.
> Additionally, you may want to read Security for GWT
> Applications<http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gw...>-
> it introduces XSS and CSRF, and then explains what you can do to avoid
> them.

You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

No comments:

Post a Comment