On Friday, July 21, 2023 at 11:38:59 AM UTC+2 [email protected] wrote:
We have one deployment of a GWT app where there is a Fortiweb firewall that blocks every GWT RPC call because it recognizes every call as a Java Method Injection attack. This seems to be caused by the presence of the pattern "java.lang." in the messages from the client to the server like the following: 7|0|7|https://host/app/app_gui/|BD9331DABCA5012FC56F3600DF03415F|com.app.gui.client.Bridge|getClientConfiguration|java.lang.St ring/2004016611|john|ADMINISTRATOR|1|2|3|4|2|5|5|6|7| <https://host/app/app_gui/%7CBD9331DABCA5012FC56F3600DF03415F%7Ccom.app.gui.client.Bridge%7CgetClientConfiguration%7Cjava.lang.String/2004016611%7Cjohn%7CADMINISTRATOR%7C1%7C2%7C3%7C4%7C2%7C5%7C5%7C6%7C7%7C> My idea is to convince the firewall administrator that these are false-positives as these calls are part of the GWT RPC mechanism that does not allow arbitrary java code execution on the server side. Is my reasoning correct or am I not worried enough? Your reasoning is correct. But you can also obfuscate type names to prevent triggering the WAF: https://github.com/gwtproject/gwt/blob/main/user/src/com/google/gwt/user/RemoteServiceObfuscateTypeNames.gwt.xml (disclaimer: I haven't used RPC for more than 10 years) -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/40bf5948-5d59-4d47-8686-7b1db98e80fdn%40googlegroups.com.
