GWT is already being used by tens of thousands of websites and web applications around the world such as Evernote, Google Wallet, Google AdWords, and Facebook’s App Centre.
And developers will be glad to know that Acunetix thoroughly crawls and deeply scans any website and web application built on the Google Web Toolkit platform, exposing all types of vulnerabilities, including SQL Injection and Cross-Site Scripting.
A GWT web application consists of a client side module (that runs in the browser) and a server side module (that runs on the web server). The client side module has the ability to call server side methods using GWT RPC (Remote Procedure Call).
GWT RPC is using a custom serialization protocol making it difficult to scan for automated web vulnerability scanners. Acunetix fully understands the GWT RPC serialization protocol and can scan GWT based web applications.
Let’s see how GWT RPC looks like by analyzing a simple HTTP request made by the client module to the web server:
POST /mywebapp/greet HTTP/1.1 Origin: http://127.0.0.1:8888 X-GWT-Module-Base: http://127.0.0.1:8888/mywebapp/ X-GWT-Permutation: C2E8908F31B9E566DF689B55F743680B User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36 Content-Type: text/x-gwt-rpc; charset=UTF-8 Referer: http://127.0.0.1:8888/MyWebApp.html Accept: */* Content-Length: 172 Connection: Keep-alive Accept-Encoding: gzip,deflate Accept-Language: en-US,* Host: 127.0.0.1:8888 Pragma: no-cache Cache-Control: no-cache 7|0|6|http://127.0.0.1:8888/mywebapp/|07FC5BAD30571050668243C4A5655248|com.acunetix.mywebapp.client.GreetingService|greetServer|java.lang.String/2004016611|e|1|2|3|4|1|5|6|
Looking at this in more detail, we realise that this is a POST request with the content type text/x-gwt-rpc and the POST data contains the serialized data.
7|0|6|http://127.0.0.1:8888/mywebapp/|07FC5BAD30571050668243C4A5655248| com.acunetix.mywebapp.client.GreetingService|greetServer| java.lang.String/2004016611|e|1|2|3|4|1|5|6|
The POST data is split in three parts:
- Header (7|0|6)
- String table (
http://127.0.0.1:8888/mywebapp/| 07FC5BAD30571050668243C4A5655248| com.acunetix.mywebapp.client.GreetingService| greetServer|java.lang.String/2004016611
- Payload (e|1|2|3|4|1|5|6|)
Let’s analyze each part individually. We will start with the header:
- 7 – serialization version
- 0 – no flags are set
- 6 – size of the string table that follows the header
The string table is a collection of strings that will be referenced from the payload using their index.
- http://127.0.0.1:8888/mywebapp/ – The base URL of the GWT app
- 07FC5BAD30571050668243C4A5655248 – The strong name of the policy file
- com.acunetix.mywebapp.client.GreetingService – The service interface
- greetServer – The name of the method to call
- java.lang.String/2004016611 – Type of the first parameter
The payload is used to reference the string table and to specify the type and actual value of the eventual method parameters.
Let’s see what is happening when we scan a GWT based web application with the new version of Acunetix WVS.
The crawler correctly identified a GWT based web application and created an input scheme for one of the methods invoked. The name of the input scheme parameter is com.acunetix.mywebapp.client.GreetingService.greetServer.P1 and is composed from the name of the service interface (com.acunetix.mywebapp.client.GreetingService) plus the name of the method to call (greetServer) and the parameter number (P1).
The scanner can now use this information to correctly enumerate and test all the GWT RPC methods that are called from the client module.
The following is a Code Execution vulnerability reported by Acunetix for our GWT based test application.
Get the latest content on web security
in your inbox each week.
Comments are closed.