Tuesday, March 22, 2016

Re: Method Enumeration in GWT



On Tuesday, March 22, 2016 at 12:56:06 PM UTC+1, Shrivathsa Bhat wrote:
Hello All, I've heard it is possible to enumerate all available methods in client side. Below are some links about this:

https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset
https://blog.gdssecurity.com/labs/2010/7/20/gwtenum-enumerating-gwt-rpc-method-calls.html

My question is, is it still possible or methods are secure in client-side by default. If not, is there any way to block it.

Your client-side code indeed contains whichever URLs and constants are necessary to communicate with your server, so such enumeration will always be theoretically possible, there's no way around it. And this is true of whichever "protocol" you use to communicate with your server.
That said, first about the gwtenum tool itself:
  • it's out-of-date (they look for *.cache.html files, and GWT has switched to use the xsiframe linker by default in 2.7, which produces *.cache.js files). It might be relatively easy to update it though (might be as easy as changing the *.cache.html pattern for *.cache.js; maybe other changes would be needed, given that GWT obfuscation/minification has probably changed too since 2010)
  • it apparently won't load deferred fragments (GWT.runAsync), so it's incomplete
Now about the "technique":
  • GWT has long added type-name elision (<inherits name="com.google.gwt.user.RemoteServiceObfuscateTypeNames" />), actually that was added more than one year before the article you link to! (see https://gwt.googlesource.com/gwt/+log/master/user/src/com/google/gwt/user/RemoteServiceObfuscateTypeNames.gwt.xml) But it's an opt-in, and it might not even be documented. With type-name elision, enumerated methods' parameters will be much less readable.
  • GWT also has (since early 2011) built-in XSRF mitigation (again, an opt-in) for GWT-RPC.

So, what does enumerating GWT-RPC methods give you? You can fuzz inputs as an attempt to trigger a server-side bug, or if XSRF is not used you could possibly exploit some method (mostly useful if you trigger it on someone who's authenticated). Those things you should try to prevent against anyway (assuming bugs in your own code, vs. bugs in GWT's RPC code).

--
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at https://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment