*1) *The client class RpcRequestBuilder sets the following headers in the
doFinish() method --
protected void doFinish(RequestBuilder rb) {
rb.setHeader(STRONG_NAME_HEADER, GWT.getPermutationStrongName());
rb.setHeader(MODULE_BASE_HEADER, GWT.getModuleBaseURL());
}
*2) *On the server side, the class AbstractRemoteServiceServlet defines the
method getPermutationStrongName()..
protected final String getPermutationStrongName() {
return getThreadLocalRequest().getHeader(STRONG_NAME_HEADER);
}
*3) *Then, in RemoteServiceServlet, in the processCall() method, there is a
check like this -
if (getPermutationStrongName() == null) {
throw new SecurityException("Blocked request without GWT permutation
header(XSRF attack?)");
}
(3) is a bit confusing to me. It was definitely there in an older version of
RemoteServiceServlet (I think GWT 1.6?). But the current "in-trunk" version
of RemoteServiceServlet doesn't have that check. Instead, that check has
been moved to another class RpcServlet, which has been marked as
experimental.
GWT does seem to folllow the "use a custom header to prevent XSRF attack"
techique. Question is - Is it enough?
--Sri
2009/9/16 Diego Lovison <[email protected]>
>
> in witch class you see this "When I went through the code for GWT's
> RemoteServiceServlet, I see that it checks for the presence of a HTTP
> header "X-GWT-Permutation", and fails the service if absent. " ?
>
> On 16 set, 11:55, Sripathi Krishnan <[email protected]>
> wrote:
> > I have read the discussion athttp://
> groups.google.com/group/google-web-toolkit/web/security-for-gw...
> > follow it completely. The general recommendation to prevent Cross Site
> > Scripting is to duplicate the session id in the http request payload.
> Doing
> > that takes some effort, and I don't want to do it unless absolutely
> > neccessary..
> >
> > When I went through the code for GWT's RemoteServiceServlet, I see that
> it
> > checks for the presence of a HTTP header "X-GWT-Permutation", and fails
> the
> > service if absent.
> >
> > I thought about it for some time, and came to the conclusion that the
> http
> > header alone should be sufficient to prevent cross site scripting.
> >
> > The only way that header can be set is via a XmlHttpRequest. A request
> > originating from a <script> , <iframe>, <img> <form> tags is not going to
> be
> > able to set that header. And an XmlHttpRequest originating from a
> different
> > domain is not going to work due to Same Origin Policy..
> >
> > *Question* - Is this conclusion correct? Has anybody yet found a way to
> get
> > around the http header and make a XSS attack to a GWT RPC Service?
> >
> > thanks!
> > --Sri
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/google-web-toolkit?hl=en
-~----------~----~----~----~------~----~------~--~---
