Wednesday, September 29, 2010

Re: Vulnerabilities in GWT applications

Hi,

I want to find security holes in a) and b).

I know that a) is always untrustable but there are some thigs to check
out
e.g. read / write of window.location or use setInnerHtml on untrusted
data as
Sripathi Krishnan said.

With the knowledge of possible GWT-RPCs I can try to attack b).
Thus, I can check If the input is validated correctly on the server.

Testing a GWT application without of knowing what the parameters in
GWT-RPCs mean it's very time-comsuming
So I hope to retrieve some information automatically.

But you are right, finding security holes is also a manual task.
No scanner or other application will find all security holes.

Basdl


On 29 Sep., 17:08, Stefan Bachert <stefanbach...@yahoo.de> wrote:
> Hi,
>
> First let us clarify what "GWT App" may mean:
>
> a) the browser part compiled to JavaScript
> b) The server part, still running in Java
> overall app mean a) + b)
>
> a) is always untrustable. Any attackers could substitute the client by
> anything he/she likes.
> Even when you deliver the best secured browser client, it does not
> increase the security of your overall app.
>
> b) GWT-RPC does some automatic improvements, however, you must check
> any input because there is no guaranty to come from a trusted and
> honest source.
> However, server side is still java, any java techniques for security
> may apply. This is hardly a GWT topic.
>
> I don't think there is an automatic way the find vulnerabilities.
> Without understanding classical attack vectors and a great inspiration
> of finding potential new ones, you won't increase security.
> This will always be a manual task for a human being.
>
> When you need a second pair of professional eyes, you may contact me.
> Your site is one hour from my site.
>
> Stefan Bacherthttp://gwtworld.de
>
> On 28 Sep., 13:29, Basdl <b...@cirosec.de> wrote:
>
> > Hello,
>
> > I'd like to find vulnerabilities in my GWT applications.
> > Thus, I prepared an example application with SQL injection
> > and cross-site scripting holes.
> > Now I want to find these holes with automatic tests.
> > In my opinion, a static analysis is a reasonable way to do this.
> > At (manually) searching the generated javascript, I located
> > my variables in the first script-tag in the body and the
> > corresponding function in the 18th script tag.
>
> > Now I have the following questions:
> > - Is there a documentation of the GWT compiler available,
> >   that shows how the java source is translated into javascript?
> >   Hence, I could inspect only the part of the javascript
> >   that is related to my self-coded java and not to the framwork.
> > - How can I identify standard parameters and functions (to skip them)?
> > - Does anyone know a better solution to find the described
> > vulnerabilities?
> > - Do you have some hints to perform such a security analysis?
>
> > Thanks in advance

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.

No comments:

Post a Comment