Gwt Security: Don’T Get Distracted By Bright Shiny Objects presented at Blackhat USA 2010

by David Byrne, Charles Henderson,

Tags: Security Testing

Summary : The Google Web Toolkit (GWT) produces some of the slickest web-based applications out there; it’s easy to understand why it has been gathering popularity. But there’s obviously more to writing a secure application than making the UI nice and shiny. The framework’s functionality is not limited to GUI controls - it also has significant support for remote procedure calls. The browser-side code is implemented entirely in JavaScript that the GWT generates from developer-written Java code. While GWT RPC can be implemented securely, many developers either rely on the JavaScript obfuscation, or don’t realize how their Java code is going to be split between the server & client. Either way, insecure GWT remoting is very common.
This presentation will demonstrate how to exploit common vulnerabilities in GWT applications, particularly with RPC functionality. Non-human readable format of the JavaScript makes penetration testing GWT applications very time consuming. To aid with testing, the presenters are releasing REGWT, a tool to reverse engineer GWT applications. It will allow a pen tester to map out GWT RPC methods that would otherwise be hidden and easily test them for various vulnerabilities.