[gwt-contrib] Re: Quarterly Hangouts On Air
A reddit-style AMA would be really cool; so long as we give enough warning and promo, (like posting the event in the G+ community a month ahead of time) I'm sure it would be a hit. The questions in the moderator would probably all get asked; though seeing some of them come up in the gwt-team meetings would be cool too. An actual hangout over a single time slot generally leaves a lot of people unable to come, so, maybe we'll see if we can keep attracting a lot of people to the community meetings, and maybe we'll get a greater audience to steering committee meetings. The only reason I was not viewing the public committee meetings was visibility; my gwt-contrib emails were getting filtered with hundreds of other group emails, so I didn't really keep up (have since create a filter specifically for Gwt). I am going to email Bhaskar to see if I can get plugged in on the meeting tomorrow, and I bet if we post it on G+, we'll see greater developer interest. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups GWT Contributors group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [gwt-contrib] Re: Quarterly Hangouts On Air
The concern I've heard expressed during in-person discussions about how to do this is that a written document of answers 'feels' more real and concrete than a group of people answer questions live, since they clearly have no chance to vet their answers from their own organization or with each other. As long as the questions stay in the realm of what GWT currently is, that wouldn't be an issue, but when we start jumping into the When will IE X support be dropped or When will Java Y support be added or Why isn't my library being added to GWT territory, the panelists may feel as though it is safer to just leave the questions un-answered. That said, this would be keeping in the reddit ama form... With a live speaker and panel, if no one answers a question, the dead airs gets to people, and someone steps up to try an answer or at least rephrase the question, even though the answer might be qualified (this is just my opinion), or vague (we're still working through the specifics). BTW, there is a /r/gwt already, we could start there for some informal stuff (weekly/monthly AMAs), and then do a slightly more official call quarterly? On Tue, Jan 28, 2014 at 9:59 AM, James Nelson ja...@wetheinter.net wrote: A reddit-style AMA would be really cool; so long as we give enough warning and promo, (like posting the event in the G+ community a month ahead of time) I'm sure it would be a hit. The questions in the moderator would probably all get asked; though seeing some of them come up in the gwt-team meetings would be cool too. An actual hangout over a single time slot generally leaves a lot of people unable to come, so, maybe we'll see if we can keep attracting a lot of people to the community meetings, and maybe we'll get a greater audience to steering committee meetings. The only reason I was not viewing the public committee meetings was visibility; my gwt-contrib emails were getting filtered with hundreds of other group emails, so I didn't really keep up (have since create a filter specifically for Gwt). I am going to email Bhaskar to see if I can get plugged in on the meeting tomorrow, and I bet if we post it on G+, we'll see greater developer interest. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups GWT Contributors group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- 218.248.6165 niloc...@gmail.com -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups GWT Contributors group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[gwt-contrib] Re: XSS in GWT
On Tuesday, January 28, 2014 5:04:08 PM UTC+1, Kurt Dmello wrote: Hey folks, I am a relative noob to GWT and have been looking at it from a security code review perspective. I want to create a set of guidelines for people who have to review GWT code from a security perspective looking for vulnerabilities. I have read and understood : http://www.gwtproject.org/articles/security_for_gwt_applications.html I have also implemented the StockWatcher application by following the tutorial. In trying to introduce vulnerabilities that I could exploit as a demonstration for what to look for I have failed. My understanding after reading the article on GWT security was that if tainted data is set using setHTML() or setInnerHTML() on a client widget it will be suceptable to XSS. I found the HTML() widget to contain a setHTML() routine that took a String and not SafeHTML and set its value to contain a variety of standard XSS exploits such as scriptalert(1);/script. It does not produce the expected results. It seems to me that there is a black list or further escaping that happens underneath the covers. Is it that I am simply out popping out to the right context or is GWT truly immune to XSS. What you're seeing here is browser sanitization from innerHTML (not sanitization actually, just that the script are not run). Try with img onerror=alert(1) src=// or similar (onclick, etc.) What should someone performing code review on a GWT app. be looking for ? Everywhere SafeHtml / SafeStyles / SafeUri could be used but is not (HasHTML#setHTML is one such things) -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups GWT Contributors group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[gwt-contrib] XSS in GWT
Hey folks, I am a relative noob to GWT and have been looking at it from a security code review perspective. I want to create a set of guidelines for people who have to review GWT code from a security perspective looking for vulnerabilities. I have read and understood : http://www.gwtproject.org/articles/security_for_gwt_applications.html I have also implemented the StockWatcher application by following the tutorial. In trying to introduce vulnerabilities that I could exploit as a demonstration for what to look for I have failed. My understanding after reading the article on GWT security was that if tainted data is set using setHTML() or setInnerHTML() on a client widget it will be suceptable to XSS. I found the HTML() widget to contain a setHTML() routine that took a String and not SafeHTML and set its value to contain a variety of standard XSS exploits such as scriptalert(1);/script. It does not produce the expected results. It seems to me that there is a black list or further escaping that happens underneath the covers. Is it that I am simply out popping out to the right context or is GWT truly immune to XSS. What should someone performing code review on a GWT app. be looking for ? Thanks, Kurt -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups GWT Contributors group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[gwt-contrib] Re: XSS in GWT
Another set of dangerous code to look for would be any SafeHtmlUtils or SafeHtmlBuilder (and their uri/style conterparts) call that should take 'constant' or 'trusted' but instead takes untrusted user data. Custom implementions of SafeHtml should also be treated as suspect. These all fall under the category of Deliberately abusing the safehtml api will make it no longer safe. On Tuesday, January 28, 2014 11:17:49 AM UTC-6, Thomas Broyer wrote: On Tuesday, January 28, 2014 5:04:08 PM UTC+1, Kurt Dmello wrote: Hey folks, I am a relative noob to GWT and have been looking at it from a security code review perspective. I want to create a set of guidelines for people who have to review GWT code from a security perspective looking for vulnerabilities. I have read and understood : http://www.gwtproject.org/articles/security_for_gwt_applications.html I have also implemented the StockWatcher application by following the tutorial. In trying to introduce vulnerabilities that I could exploit as a demonstration for what to look for I have failed. My understanding after reading the article on GWT security was that if tainted data is set using setHTML() or setInnerHTML() on a client widget it will be suceptable to XSS. I found the HTML() widget to contain a setHTML() routine that took a String and not SafeHTML and set its value to contain a variety of standard XSS exploits such as scriptalert(1);/script. It does not produce the expected results. It seems to me that there is a black list or further escaping that happens underneath the covers. Is it that I am simply out popping out to the right context or is GWT truly immune to XSS. What you're seeing here is browser sanitization from innerHTML (not sanitization actually, just that the script are not run). Try with img onerror=alert(1) src=// or similar (onclick, etc.) What should someone performing code review on a GWT app. be looking for ? Everywhere SafeHtml / SafeStyles / SafeUri could be used but is not (HasHTML#setHTML is one such things) -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups GWT Contributors group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[gwt-contrib] Re: XSS in GWT
Thanks Thomas, That was helpful. I tried the img tag and it did work. What you're seeing here is browser sanitization from innerHTML (not sanitization actually, just that the script are not run). Try with img onerror=alert(1) src=// or similar (onclick, etc.) What should someone performing code review on a GWT app. be looking for ? Everywhere SafeHtml / SafeStyles / SafeUri could be used but is not (HasHTML#setHTML is one such things) -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups GWT Contributors group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [gwt-contrib] Re: XSS in GWT
Maybe Matthew Dempsky can comment, but I believe there's an error-prone plugin that handles checking for XSS in GWT and bad use of SafeHtml/setHTML. On Tue, Jan 28, 2014 at 12:05 PM, Kurt Dmello kdme...@gmail.com wrote: Thanks Thomas, That was helpful. I tried the img tag and it did work. What you're seeing here is browser sanitization from innerHTML (not sanitization actually, just that the script are not run). Try with img onerror=alert(1) src=// or similar (onclick, etc.) What should someone performing code review on a GWT app. be looking for ? Everywhere SafeHtml / SafeStyles / SafeUri could be used but is not (HasHTML#setHTML is one such things) -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups GWT Contributors group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups GWT Contributors group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[gwt-contrib] Re: XSS in GWT
Thanks folks, This is great stuff. Keep it coming ! I am looking for all potential points of interest in a code review. Including XSRF and JSON related vulnerabilities. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups GWT Contributors group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[gwt-contrib] Re: Next Contributor Hangout
Hi Folks, Sorry about this, but I'm going to have to move this hangout by a week, to Wednesday Feb 5th, same time - 10.45 to 11.30am. We have another internal (Google) meeting that requires me and other GWT team members to be present. The meeting will still be recorded and available as usual. Thanks, Bhaskar -- http://groups.google.com/group/Google-Web-Toolkit-Contributors --- You received this message because you are subscribed to the Google Groups GWT Contributors group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit-contributors+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.