Hi, First let us clarify what "GWT App" may mean:
a) the browser part compiled to JavaScript b) The server part, still running in Java overall app mean a) + b) a) is always untrustable. Any attackers could substitute the client by anything he/she likes. Even when you deliver the best secured browser client, it does not increase the security of your overall app. b) GWT-RPC does some automatic improvements, however, you must check any input because there is no guaranty to come from a trusted and honest source. However, server side is still java, any java techniques for security may apply. This is hardly a GWT topic. I don't think there is an automatic way the find vulnerabilities. Without understanding classical attack vectors and a great inspiration of finding potential new ones, you won't increase security. This will always be a manual task for a human being. When you need a second pair of professional eyes, you may contact me. Your site is one hour from my site. Stefan Bachert http://gwtworld.de On 28 Sep., 13:29, Basdl <[email protected]> wrote: > Hello, > > I'd like to find vulnerabilities in my GWT applications. > Thus, I prepared an example application with SQL injection > and cross-site scripting holes. > Now I want to find these holes with automatic tests. > In my opinion, a static analysis is a reasonable way to do this. > At (manually) searching the generated javascript, I located > my variables in the first script-tag in the body and the > corresponding function in the 18th script tag. > > Now I have the following questions: > - Is there a documentation of the GWT compiler available, > that shows how the java source is translated into javascript? > Hence, I could inspect only the part of the javascript > that is related to my self-coded java and not to the framwork. > - How can I identify standard parameters and functions (to skip them)? > - Does anyone know a better solution to find the described > vulnerabilities? > - Do you have some hints to perform such a security analysis? > > Thanks in advance -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
