Thomas and Stephen - Completely agree that if you are testing one specific GWT application that you have developed, it is always better to
- grep for XSS vulnerabilities, - manual code review + directly invoking RPC services from a java program for SQL Injection. But what if you are doing a black-box security review, and don't have a access to the code? The above techniques don't work in that case. There are automated scanners for regular web-applications, but AFAIK, there is nothing in the market for penetration-testing a GWT application. From what I understand, @Basdl is a security professional, and is probably assigned the job of testing a GWT application someone else built. In that case, there is nothing much he can do but to write a tool that does some reverse engineering of GWT generated code. I had started degwt to build that reverse-engineering tool to be used in such cases, but as with most open source projects, I lost steam half-way through. Its *not* useful for most people in this mailing list, because the vast majority will always have access to code. But for a few people like me and Basdl, I believe it has some potential. --Sri On 29 September 2010 21:34, Thomas Broyer <t.bro...@gmail.com> wrote: > > > On Sep 29, 5:54 pm, Basdl <b...@cirosec.de> wrote: > > Hi, > > > > I want to find security holes in a) and b). > > > > I know that a) is always untrustable but there are some thigs to check > > out > > e.g. read / write of window.location or use setInnerHtml on untrusted > > data as > > Sripathi Krishnan said. > > You'd probably have better luck searching all occurrences of > HasHTML.setHTML and/or Element.setInnerHTML and/or Window.Location and > manually checking, than trying to write a robot to find holes for you. > > > With the knowledge of possible GWT-RPCs I can try to attack b). > > Thus, I can check If the input is validated correctly on the server. > > If the goal is to check your code, as opposed to GWT > RemoteServiceServlet and associated RPC serialization, then how about > just calling your methods in pure Java, without resorting to "GWT-RPC > over HTTP". > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to google-web-tool...@googlegroups.com. > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com<google-web-toolkit%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.