Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, July 29 • 1:45pm - 3:00pm
GWT Security: Don’t get distracted by bright shiny objects

Sign up or log in to save this to your schedule and see who's attending!

The Google Web Toolkit (GWT) produces some of the slickest web-based applications out there; it’s easy to understand why it has been gathering popularity. But there’s obviously more to writing a secure application than making the UI nice and shiny. The framework’s functionality is not limited to GUI controls - it also has significant support for remote procedure calls. The browser-side code is implemented entirely in JavaScript that the GWT generates from developer-written Java code. While GWT RPC can be implemented securely, many developers either rely on the JavaScript obfuscation, or don’t realize how their Java code is going to be split between the server & client. Either way, insecure GWT remoting is very common.

 

This presentation will demonstrate how to exploit common vulnerabilities in GWT applications, particularly with RPC functionality. Non-human readable format of the JavaScript makes penetration testing GWT applications very time consuming. To aid with testing, the presenters are releasing REGWT, a tool to reverse engineer GWT applications. It will allow a pen tester to map out GWT RPC methods that would otherwise be hidden and easily test them for various vulnerabilities.


Thursday July 29, 2010 1:45pm - 3:00pm
Day 2 - Web Apps

Attendees (13)

  • Profile image
  • Profile image