On Sep 29, 5:54 pm, Basdl <[email protected]> wrote: > Hi, > > I want to find security holes in a) and b). > > I know that a) is always untrustable but there are some thigs to check > out > e.g. read / write of window.location or use setInnerHtml on untrusted > data as > Sripathi Krishnan said.
You'd probably have better luck searching all occurrences of HasHTML.setHTML and/or Element.setInnerHTML and/or Window.Location and manually checking, than trying to write a robot to find holes for you. > With the knowledge of possible GWT-RPCs I can try to attack b). > Thus, I can check If the input is validated correctly on the server. If the goal is to check your code, as opposed to GWT RemoteServiceServlet and associated RPC serialization, then how about just calling your methods in pure Java, without resorting to "GWT-RPC over HTTP". -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
