I want to find security holes in a) and b).
I know that a) is always untrustable but there are some thigs to check
e.g. read / write of window.location or use setInnerHtml on untrusted
Sripathi Krishnan said.
With the knowledge of possible GWT-RPCs I can try to attack b).
Thus, I can check If the input is validated correctly on the server.
Testing a GWT application without of knowing what the parameters in
GWT-RPCs mean it's very time-comsuming
So I hope to retrieve some information automatically.
But you are right, finding security holes is also a manual task.
No scanner or other application will find all security holes.
On 29 Sep., 17:08, Stefan Bachert <stefanbach...@yahoo.de> wrote:
> First let us clarify what "GWT App" may mean:
> b) The server part, still running in Java
> overall app mean a) + b)
> a) is always untrustable. Any attackers could substitute the client by
> anything he/she likes.
> Even when you deliver the best secured browser client, it does not
> increase the security of your overall app.
> b) GWT-RPC does some automatic improvements, however, you must check
> any input because there is no guaranty to come from a trusted and
> honest source.
> However, server side is still java, any java techniques for security
> may apply. This is hardly a GWT topic.
> I don't think there is an automatic way the find vulnerabilities.
> Without understanding classical attack vectors and a great inspiration
> of finding potential new ones, you won't increase security.
> This will always be a manual task for a human being.
> When you need a second pair of professional eyes, you may contact me.
> Your site is one hour from my site.
> Stefan Bacherthttp://gwtworld.de
> On 28 Sep., 13:29, Basdl <b...@cirosec.de> wrote:
> > Hello,
> > I'd like to find vulnerabilities in my GWT applications.
> > Thus, I prepared an example application with SQL injection
> > and cross-site scripting holes.
> > Now I want to find these holes with automatic tests.
> > In my opinion, a static analysis is a reasonable way to do this.
> > my variables in the first script-tag in the body and the
> > corresponding function in the 18th script tag.
> > Now I have the following questions:
> > - Is there a documentation of the GWT compiler available,
> > that is related to my self-coded java and not to the framwork.
> > - How can I identify standard parameters and functions (to skip them)?
> > - Does anyone know a better solution to find the described
> > vulnerabilities?
> > - Do you have some hints to perform such a security analysis?
> > Thanks in advance
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to firstname.lastname@example.org.
To unsubscribe from this group, send email to email@example.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
Post a Comment