I solved this in this way: (attacker would have this harder, because he cannot add extra application in the same domain)
I created new application with the same service interfaces and other needed classes. Then I created the service and configured it. When I tried to make a call, i was given by an error message (incompatible service). I solved this by replacing classnames in generated js code. Then i just run the code and found out that my protection worx fine ;) On 24 Ún, 11:52, vedouci <[email protected]> wrote: > Hi guys, my boss want me to check security issues in our application. > We have some sort of XSRF protection (xsrf key in cookie) and my job > is to check if it worx fine. I want to simulate xsrf attack on > unprotected code and then try the same attack on protected to > accomplish this. > > My plan was: install wireshark, analyze network traffic, find request > suitable for invoking (simple one ;)), write some js code which will > attack my own code :) > > The problem is with step 2 - analyze network traffic - it seems that > rpc request is encoded in some strange way - Does anybody know how is > the gwt rpc request (post) encoded? > > Basically, i need just call some simple method with xsrf key in > parameter, there is no need to parse the response... So, is there > anybody who can help me? :) > > BTW: Excuse me for my english ;) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
