Hi, I want to find security holes in a) and b).
I know that a) is always untrustable but there are some thigs to check out e.g. read / write of window.location or use setInnerHtml on untrusted data as Sripathi Krishnan said. With the knowledge of possible GWT-RPCs I can try to attack b). Thus, I can check If the input is validated correctly on the server. Testing a GWT application without of knowing what the parameters in GWT-RPCs mean it's very time-comsuming So I hope to retrieve some information automatically. But you are right, finding security holes is also a manual task. No scanner or other application will find all security holes. Basdl On 29 Sep., 17:08, Stefan Bachert <[email protected]> wrote: > Hi, > > First let us clarify what "GWT App" may mean: > > a) the browser part compiled to JavaScript > b) The server part, still running in Java > overall app mean a) + b) > > a) is always untrustable. Any attackers could substitute the client by > anything he/she likes. > Even when you deliver the best secured browser client, it does not > increase the security of your overall app. > > b) GWT-RPC does some automatic improvements, however, you must check > any input because there is no guaranty to come from a trusted and > honest source. > However, server side is still java, any java techniques for security > may apply. This is hardly a GWT topic. > > I don't think there is an automatic way the find vulnerabilities. > Without understanding classical attack vectors and a great inspiration > of finding potential new ones, you won't increase security. > This will always be a manual task for a human being. > > When you need a second pair of professional eyes, you may contact me. > Your site is one hour from my site. > > Stefan Bacherthttp://gwtworld.de > > On 28 Sep., 13:29, Basdl <[email protected]> wrote: > > > Hello, > > > I'd like to find vulnerabilities in my GWT applications. > > Thus, I prepared an example application with SQL injection > > and cross-site scripting holes. > > Now I want to find these holes with automatic tests. > > In my opinion, a static analysis is a reasonable way to do this. > > At (manually) searching the generated javascript, I located > > my variables in the first script-tag in the body and the > > corresponding function in the 18th script tag. > > > Now I have the following questions: > > - Is there a documentation of the GWT compiler available, > > that shows how the java source is translated into javascript? > > Hence, I could inspect only the part of the javascript > > that is related to my self-coded java and not to the framwork. > > - How can I identify standard parameters and functions (to skip them)? > > - Does anyone know a better solution to find the described > > vulnerabilities? > > - Do you have some hints to perform such a security analysis? > > > Thanks in advance -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
