Another set of dangerous code to look for would be any SafeHtmlUtils or SafeHtmlBuilder (and their uri/style conterparts) call that should take 'constant' or 'trusted' but instead takes untrusted user data. Custom implementions of SafeHtml should also be treated as suspect.
These all fall under the category of "Deliberately abusing the safehtml api will make it no longer safe". On Tuesday, January 28, 2014 11:17:49 AM UTC-6, Thomas Broyer wrote: > > > > On Tuesday, January 28, 2014 5:04:08 PM UTC+1, Kurt Dmello wrote: >> >> Hey folks, >> I am a relative noob to GWT and have been looking at it from a security >> code review perspective. I want to create a set of guidelines for people >> who have to review GWT code from a security perspective looking for >> vulnerabilities. >> >> I have read and understood : >> http://www.gwtproject.org/articles/security_for_gwt_applications.html >> >> I have also implemented the StockWatcher application by following the >> tutorial. >> >> In trying to introduce vulnerabilities that I could exploit as a >> demonstration for what to look for I have failed. My understanding after >> reading the article on GWT security was that if tainted data is set using >> setHTML() or setInnerHTML() on a client widget it will be suceptable to >> XSS. >> >> I found the HTML() widget to contain a setHTML() routine that took a >> String and not SafeHTML and set its value to contain a variety of standard >> XSS exploits such as <script>alert(1);</script>. It does not produce the >> expected results. It seems to me that there is a black list or further >> escaping that happens underneath the covers. Is it that I am simply out >> "popping" out to the right context or is GWT truly immune to XSS. >> > > What you're seeing here is browser "sanitization" from innerHTML (not > sanitization actually, just that the <script> are not run). Try with <img > onerror="alert(1)" src="//"> or similar (onclick, etc.) > > >> What should someone performing code review on a GWT app. be looking for ? >> > > Everywhere SafeHtml / SafeStyles / SafeUri could be used but is not > (HasHTML#setHTML is one such things) > -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups "GWT Contributors" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
