Completely agree that if you are testing one specific GWT application that you have developed, it is always better to
- grep for XSS vulnerabilities,
- manual code review + directly invoking RPC services from a java program for SQL Injection.
But what if you are doing a black-box security review, and don't have a access to the code? The above techniques don't work in that case.
There are automated scanners for regular web-applications, but AFAIK, there is nothing in the market for penetration-testing a GWT application. From what I understand, @Basdl is a security professional, and is probably assigned the job of testing a GWT application someone else built. In that case, there is nothing much he can do but to write a tool that does some reverse engineering of GWT generated code.
I had started degwt to build that reverse-engineering tool to be used in such cases, but as with most open source projects, I lost steam half-way through. Its not useful for most people in this mailing list, because the vast majority will always have access to code. But for a few people like me and Basdl, I believe it has some potential.
--Sri
On 29 September 2010 21:34, Thomas Broyer <t.broyer@gmail.com> wrote:
You'd probably have better luck searching all occurrences of
On Sep 29, 5:54 pm, Basdl <b...@cirosec.de> wrote:
> Hi,
>
> I want to find security holes in a) and b).
>
> I know that a) is always untrustable but there are some thigs to check
> out
> e.g. read / write of window.location or use setInnerHtml on untrusted
> data as
> Sripathi Krishnan said.
HasHTML.setHTML and/or Element.setInnerHTML and/or Window.Location and
manually checking, than trying to write a robot to find holes for you.
If the goal is to check your code, as opposed to GWT
> With the knowledge of possible GWT-RPCs I can try to attack b).
> Thus, I can check If the input is validated correctly on the server.
RemoteServiceServlet and associated RPC serialization, then how about
just calling your methods in pure Java, without resorting to "GWT-RPC
over HTTP".
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment