Wednesday, September 29, 2010

Re: Vulnerabilities in GWT applications


I want to find security holes in a) and b).

I know that a) is always untrustable but there are some thigs to check
e.g. read / write of window.location or use setInnerHtml on untrusted
data as
Sripathi Krishnan said.

With the knowledge of possible GWT-RPCs I can try to attack b).
Thus, I can check If the input is validated correctly on the server.

Testing a GWT application without of knowing what the parameters in
GWT-RPCs mean it's very time-comsuming
So I hope to retrieve some information automatically.

But you are right, finding security holes is also a manual task.
No scanner or other application will find all security holes.


On 29 Sep., 17:08, Stefan Bachert <> wrote:
> Hi,
> First let us clarify what "GWT App" may mean:
> a) the browser part compiled to JavaScript
> b) The server part, still running in Java
> overall app mean a) + b)
> a) is always untrustable. Any attackers could substitute the client by
> anything he/she likes.
> Even when you deliver the best secured browser client, it does not
> increase the security of your overall app.
> b) GWT-RPC does some automatic improvements, however, you must check
> any input because there is no guaranty to come from a trusted and
> honest source.
> However, server side is still java, any java techniques for security
> may apply. This is hardly a GWT topic.
> I don't think there is an automatic way the find vulnerabilities.
> Without understanding classical attack vectors and a great inspiration
> of finding potential new ones, you won't increase security.
> This will always be a manual task for a human being.
> When you need a second pair of professional eyes, you may contact me.
> Your site is one hour from my site.
> Stefan Bachert
> On 28 Sep., 13:29, Basdl <> wrote:
> > Hello,
> > I'd like to find vulnerabilities in my GWT applications.
> > Thus, I prepared an example application with SQL injection
> > and cross-site scripting holes.
> > Now I want to find these holes with automatic tests.
> > In my opinion, a static analysis is a reasonable way to do this.
> > At (manually) searching the generated javascript, I located
> > my variables in the first script-tag in the body and the
> > corresponding function in the 18th script tag.
> > Now I have the following questions:
> > - Is there a documentation of the GWT compiler available,
> >   that shows how the java source is translated into javascript?
> >   Hence, I could inspect only the part of the javascript
> >   that is related to my self-coded java and not to the framwork.
> > - How can I identify standard parameters and functions (to skip them)?
> > - Does anyone know a better solution to find the described
> > vulnerabilities?
> > - Do you have some hints to perform such a security analysis?
> > Thanks in advance

You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at

No comments:

Post a Comment