Unlocking the Toolkit: Attacking Google Web Toolkit
From an attacker’s perspective, GWT introduces several problems. Most notably, GWT RPC request use a custom serialization protocol which renders all common web application scanners useless for testing. Additionally, GWT client side code is heavily optimized and obfuscated making reverse engineering difficult. In short, these problems have historically made testing GWT applications a tedious and manual process…until now.
This presentation will discuss a collection of tools and techniques that can be used to efficiently perform GWT applications security assessments. The talk will include live demonstrations of how to easily:
- Unlock features within the applications user interface
- Parse GWT RPC request payloads
- Identify application parameters worthy of fuzzing
- Use custom and/or existing tools, such as Burp Intruder, to fuzz GWT parameters
- Quickly create a GWT client to craft custom GWT RPC requests
- Bypassing GWT's Cross-site Request Forgery (CSRF) protection
Ron Gutierrez is a security engineer at Gotham Digital Science where he specializes in dynamic application assessments and security code reviews.
Ron is also a frequent contributor to the GDS Security Blog: http://www.gdssecurity.com/l/b/