For JSON, you'd have go pretty far out of your way to get attacked, like loading something untrusted via JSONP, or manually parsing your own json with eval (rather than any of the safe built-in tools), or, ya know, forgetting to run SSL and having someone intercept your server communication. This isn't GWT specific, you just have to ignore basic web security stuff for these.
GWT doesn't run on the server, so XSRF issues don't really apply to GWT itself. To be attacked in this way, the server needs to accept requests from remote (i.e. attacking) sites without doing something to confirm that they came from the real app. The default RPC and RequestFactory servlets don't do any session or auth management, so don't have a specific vulnerability, but a POST sent to them from an attacking site that is treated as a request from the app itself entirely based on the contents of a cookie (i.e. jsessionid) could be an attack vector. As I said though, RPC/RF don't build in any security but leave it to the app to decide what a user is, what a session is - the code that is reading the HTTP request and deciding that a request is valid is responsible for that. Both RPC and RF have ways to add some content to the body that keyed off of something only a real request from the user should know. On Tuesday, January 28, 2014 2:22:03 PM UTC-6, Kurt Dmello wrote: > > Thanks folks, > This is great stuff. Keep it coming ! > > I am looking for all potential points of interest in a code review. > Including XSRF and JSON related vulnerabilities. > -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups "GWT Contributors" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.