Thursday, August 27, 2015

Is it possible to hack GWT by XSRF if the given XSRF defence is not used?

So, we got a Coverity security alarm that our server side gwt-rpc services are might be vulnerable for cross site request forgery attacks. 

Luckily there is a very good token generating solution available out of the box (http://www.gwtproject.org/doc/latest/DevGuideSecurityRpcXsrf.html), however I could not exploit the absence of this:

1) If I try to forge a post request with a xmlhttprequest ajax call then the Same Origin Policy kicks in within the browser and the cookie with the session id is not exposed.
2) If I want to do a form post (for example in a hidden iframe) then the cookie with the session id is added by the browser, but I've found no way to set the Content-Type to text/x-gwt-rpc and without this the post request is not processed.

The only hint that I've found was an older stackoverflow post that some of the previous versions of Flash allowed rewriting the header of form post requests, however that was considered as a bug and it was fixed.

To me it seems the custom content type and the s.o.p. makes xsrf attacks useless against the gwt-rpc mechanism. Can anyone back me up or counter me?

(Sidenote: before anyone asks, we need to do a demo for the management that the application was vulnerable before applying the XSRF defence, but became safe after that).


--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment