Tuesday, September 28, 2010

Re: Vulnerabilities in GWT applications

Lets look at the vulnerabilities one at a time.

Cross Site Scripting (XSS)
With GWT, the attack vectors for XSS are restricted to the following - 
  1. Host html/jsp page that has reflected XSS
  2. Custom Javascript libraries
  3. JSNI code that you have written within GWT
  4. Places where you have called eval(), or have used built-in JSONParser to parse untrusted JSON
  5. Code that assigns window.location on untrusted strings
  6. Code that uses setInnerHtml on untrusted data
This isn't an exhaustive list, but represents the most common attack vectors for a GWT app. If you do a manual code-review for these patterns, you will catch most of your XSS problems. And if you are GWT app follows best practices, you really won't be using most of the above patterns.

SQL Injection
This is largely outside the scope of GWT, but there are a couple of things you can do.
Cross Site Request Forgery
If you are using the latest GWT version, you are largely protected from CSRF. GWT includes a custom http header in each RPC request, and that takes care of CSRF on most browsers. The only vulnerable ones are people with outdated versions of Flash Player.

If you are paranoid and want to protect the users who don't upgrade their browsers, read this post on Lombardi's blog. IMHO, you should do that only if you are using an older version of GWT and can't upgrade.

Lastly, if you want to de-obfuscate some of GWTs code to perform security analysis, you might want to check out degwt. It has a bunch of useful notes and a couple of bookmarklets, but I am still working to complete that library.

Hope that helps!
--Sri


On 28 September 2010 16:59, Basdl <bz@cirosec.de> wrote:
Hello,

I'd like to find vulnerabilities in my GWT applications.
Thus, I prepared an example application with SQL injection
and cross-site scripting holes.
Now I want to find these holes with automatic tests.
In my opinion, a static analysis is a reasonable way to do this.
At (manually) searching the generated javascript, I located
my variables in the first script-tag in the body and the
corresponding function in the 18th script tag.

Now I have the following questions:
- Is there a documentation of the GWT compiler available,
 that shows how the java source is translated into javascript?
 Hence, I could inspect only the part of the javascript
 that is related to my self-coded java and not to the framwork.
- How can I identify standard parameters and functions (to skip them)?
- Does anyone know a better solution to find the described
vulnerabilities?
- Do you have some hints to perform such a security analysis?

Thanks in advance

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.


--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

No comments:

Post a Comment