Unlocking the Toolkit: Attacking Google Web Toolkit - Revision history

Mark.bristow at 19:31, 23 September 2010

2010-09-23T19:31:36Z

Dallendoug: added link header

2010-09-21T05:05:00Z

added link header

Mark.bristow: Created page with '== The presentation == rightThe Google Web Toolkit (GWT) provides developers with a framework to easily create Rich Internet Applications that u…'

2010-09-16T22:50:52Z

Created page with '== The presentation == rightThe Google Web Toolkit (GWT) provides developers with a framework to easily create Rich Internet Applications that u…'

New page

== The presentation ==

[[Image:Owasp_logo_normal.jpg|right]]The Google Web Toolkit (GWT) provides developers with a framework to easily create Rich Internet Applications that use AJAX. The beauty of GWT lies in the ability to write client side components in Java that get automatically compiled into optimized browser Javascript. Once deployed, this client side code has the ability to perform remote procedure calls to all implemented GWT RPC methods.

From an attacker’s perspective, GWT introduces several problems. Most notably, GWT RPC request use a custom serialization protocol which renders all common web application scanners useless for testing. Additionally, GWT client side code is heavily optimized and obfuscated making reverse engineering difficult. In short, these problems have historically made testing GWT applications a tedious and manual process…until now.

This presentation will discuss a collection of tools and techniques that can be used to efficiently perform GWT applications security assessments. The talk will include live demonstrations of how to easily:

* Unlock features within the applications user interface
* Parse GWT RPC request payloads
* Identify application parameters worthy of fuzzing
* Use custom and/or existing tools, such as Burp Intruder, to fuzz GWT parameters
* Navigate obfuscated GWT Javascript to enumerate RPC services and methods
* Quickly create a GWT client to craft custom GWT RPC requests
* Bypassing GWT's Cross-site Request Forgery (CSRF) protection

== The speaker ==

Speaker bio will be posted shortly.

[[Category:AppSec_DC_2010_Presentations]] [[Category:OWASP_Conference_Presentations]]

← Older revision		Revision as of 05:05, 21 September 2010
Line 1:		Line 1:
		+	[[Image:468x60-banner-2010.gif\|link=http://www.owasp.org/index.php?title=OWASP_AppSec_DC_2010]]
		+
		+	[https://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=d52c6f5f-d568-4e16-b8e0-b5e2bf87ab3a Registration] \| [https://resweb.passkey.com/Resweb.do?mode=welcome_gi_new&groupID=2766908 Hotel] \| [http://www.dcconvention.com/ Walter E. Washington Convention Center]
		+	<br>
	== The presentation ==		== The presentation ==

@@ Line 5: / Line 5: @@
 == The presentation  ==
-[[Image:Owasp_logo_normal.jpg|right]]The Google Web Toolkit (GWT) provides developers with a framework to easily create Rich Internet Applications that use AJAX. The beauty of GWT lies in the ability to write client side components in Java that get automatically compiled into optimized browser Javascript.  Once deployed, this client side code has the ability to perform remote procedure calls to all implemented GWT RPC methods.
+[[Image:Ron Gutierrez.jpg|right]]The Google Web Toolkit (GWT) provides developers with a framework to easily create Rich Internet Applications that use AJAX. The beauty of GWT lies in the ability to write client side components in Java that get automatically compiled into optimized browser Javascript.  Once deployed, this client side code has the ability to perform remote procedure calls to all implemented GWT RPC methods.
 From an attacker’s perspective, GWT introduces several problems.  Most notably, GWT RPC request use a custom serialization protocol which renders all common web application scanners useless for testing. Additionally, GWT client side code is heavily optimized and obfuscated making reverse engineering difficult.   In short, these problems have historically made testing GWT applications a tedious and manual process…until now.
@@ Line 19: / Line 19: @@
 * Bypassing GWT&apos;s Cross-site Request Forgery (CSRF) protection
-== The speaker  ==
+== Ron Gutierrez ==
 [[Category:AppSec_DC_2010_Presentations]] [[Category:OWASP_Conference_Presentations]]