Hi, I'm looking for details (references to code are fine) about how the rpc messages are formatted. I'm doing penetration testing for a client's GWT rpc servlets but cannot access their source or discuss with their developers (black/grey box testing).
Looking at an rpc request it appears to be formated the following way: #|#|#|URL|StrongHash|Class_Name|Method_Name|ARG1_Class_name| ARG1_member1|...|ARG1_memberN|ARG2_Class_Name|ARG2_member1|...| ARG2_memberN|#|#|#|#.....|#|#|# The first three #'s appear to be related to the request and number of args, not %100 sure on this relation. The last set of #"s I'm very confused on what they do and mean. I have the following use case that will probably result in a successful penetration test for my client. A request to method M1 sends and object with all the fields set to NULL. A request to method M2 sends the same object and some additional objects, but with all the fields set to valid values. I need to create a request to M1 with the same object sent to M2. Since M2 also has additional arguments the RPC requests are rather different and it isn't straight forward for me. Of course through a hundred hours of reading GWT source I could figure this out, but hopefully there is something simpler. I can request a copy of the class file for the class I need to serialize and send to M1, if that will allow me to make the request to M1 using GWT interfaces. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
