On Tuesday, January 28, 2014 5:04:08 PM UTC+1, Kurt Dmello wrote: > > Hey folks, > I am a relative noob to GWT and have been looking at it from a security > code review perspective. I want to create a set of guidelines for people > who have to review GWT code from a security perspective looking for > vulnerabilities. > > I have read and understood : > http://www.gwtproject.org/articles/security_for_gwt_applications.html > > I have also implemented the StockWatcher application by following the > tutorial. > > In trying to introduce vulnerabilities that I could exploit as a > demonstration for what to look for I have failed. My understanding after > reading the article on GWT security was that if tainted data is set using > setHTML() or setInnerHTML() on a client widget it will be suceptable to > XSS. > > I found the HTML() widget to contain a setHTML() routine that took a > String and not SafeHTML and set its value to contain a variety of standard > XSS exploits such as <script>alert(1);</script>. It does not produce the > expected results. It seems to me that there is a black list or further > escaping that happens underneath the covers. Is it that I am simply out > "popping" out to the right context or is GWT truly immune to XSS. >
What you're seeing here is browser "sanitization" from innerHTML (not sanitization actually, just that the <script> are not run). Try with <img onerror="alert(1)" src="//"> or similar (onclick, etc.) > What should someone performing code review on a GWT app. be looking for ? > Everywhere SafeHtml / SafeStyles / SafeUri could be used but is not (HasHTML#setHTML is one such things) -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups "GWT Contributors" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
