Wednesday, September 29, 2010

Re: Vulnerabilities in GWT applications


First let us clarify what "GWT App" may mean:

a) the browser part compiled to JavaScript
b) The server part, still running in Java
overall app mean a) + b)

a) is always untrustable. Any attackers could substitute the client by
anything he/she likes.
Even when you deliver the best secured browser client, it does not
increase the security of your overall app.

b) GWT-RPC does some automatic improvements, however, you must check
any input because there is no guaranty to come from a trusted and
honest source.
However, server side is still java, any java techniques for security
may apply. This is hardly a GWT topic.

I don't think there is an automatic way the find vulnerabilities.
Without understanding classical attack vectors and a great inspiration
of finding potential new ones, you won't increase security.
This will always be a manual task for a human being.

When you need a second pair of professional eyes, you may contact me.
Your site is one hour from my site.

Stefan Bachert

On 28 Sep., 13:29, Basdl <> wrote:
> Hello,
> I'd like to find vulnerabilities in my GWT applications.
> Thus, I prepared an example application with SQL injection
> and cross-site scripting holes.
> Now I want to find these holes with automatic tests.
> In my opinion, a static analysis is a reasonable way to do this.
> At (manually) searching the generated javascript, I located
> my variables in the first script-tag in the body and the
> corresponding function in the 18th script tag.
> Now I have the following questions:
> - Is there a documentation of the GWT compiler available,
>   that shows how the java source is translated into javascript?
>   Hence, I could inspect only the part of the javascript
>   that is related to my self-coded java and not to the framwork.
> - How can I identify standard parameters and functions (to skip them)?
> - Does anyone know a better solution to find the described
> vulnerabilities?
> - Do you have some hints to perform such a security analysis?
> Thanks in advance

You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

No comments:

Post a Comment