On Tuesday, January 28, 2014 5:04:08 PM UTC+1, Kurt Dmello wrote: > > Hey folks, > I am a relative noob to GWT and have been looking at it from a security > code review perspective. I want to create a set of guidelines for people > who have to review GWT code from a security perspective looking for > vulnerabilities. > > I have read and understood : > http://www.gwtproject.org/articles/security_for_gwt_applications.html > > I have also implemented the StockWatcher application by following the > tutorial. > > In trying to introduce vulnerabilities that I could exploit as a > demonstration for what to look for I have failed. My understanding after > reading the article on GWT security was that if tainted data is set using > setHTML() or setInnerHTML() on a client widget it will be suceptable to > XSS. > > I found the HTML() widget to contain a setHTML() routine that took a > String and not SafeHTML and set its value to contain a variety of standard > XSS exploits such as <script>alert(1);</script>. It does not produce the > expected results. It seems to me that there is a black list or further > escaping that happens underneath the covers. Is it that I am simply out > "popping" out to the right context or is GWT truly immune to XSS. >
What you're seeing here is browser "sanitization" from innerHTML (not sanitization actually, just that the <script> are not run). Try with <img onerror="alert(1)" src="//"> or similar (onclick, etc.) > What should someone performing code review on a GWT app. be looking for ? > Everywhere SafeHtml / SafeStyles / SafeUri could be used but is not (HasHTML#setHTML is one such things) -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups "GWT Contributors" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
