Hello, i m looking for gwt security resources... guidelines, best practices,
code snippets, ... not ajax security but specific to gwt.
Thanks
Take a look at the GWT Penetration Testing Toolset by Ron Gutierrez and the corresponding presentation from Owasp Appsec DC.
I was able to take Ron's code and adapt it to a 2 way proxy (server - proxy 1 - scanner - proxy 2 - browser). This allowed me to leverage regular scanners to test against GWT applications. I don't have the code on me right now but can probably share if required.
Also Lavakumar Kuppan's IronWASP tool has some capabilities for handling GWT applications.
Yash
Sent on my BlackBerry® from Vodafone
-----Original Message-----
From: Lebeau Frederic frederic.lebeau@websurf.be
Sender: websecurity-bounces@lists.webappsec.org
Date: Tue, 25 Oct 2011 06:45:11
To: websecurity@webappsec.orgwebsecurity@webappsec.org
Subject: [WEB SECURITY] Gwt security
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Total blog promotion, but this may help Frederic:
https://www.aspectsecurity.com/blog/analyzing-google-web-toolkit-entry-points/
Cheers,
Jon
On Oct 24, 2011, at 23:45, Lebeau Frederic frederic.lebeau@websurf.be wrote:
Hello, i m looking for gwt security resources... guidelines, best practices, code snippets, ... not ajax security but specific to gwt.
Thanks
I did a presentation, as well as, some blog posts on GWT security. Keep in
mind that the tools I wrote were created close to two years ago and are
therefore outdated and mostly likely don't work on current versions of GWT.
The following links contain my slides and blogposts. I hope they help.
Latest Slides from Shmoocon:
https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset/blob/master/Attacking_GWT_Presentation.pdf?raw=true
Learning GWT-RPC Request Structure:
http://blog.gdssecurity.com/labs/2009/10/8/gwt-rpc-in-a-nutshell.html
Fuzzing GWT-RPC Request:
http://blog.gdssecurity.com/labs/2010/5/6/fuzzing-gwt-rpc-requests.html
Enumerating GWT-RPC:
http://blog.gdssecurity.com/labs/2010/7/20/gwtenum-enumerating-gwt-rpc-method-calls.html
On Tue, Oct 25, 2011 at 12:45 AM, Lebeau Frederic <
frederic.lebeau@websurf.be> wrote:
Hello, i m looking for gwt security resources... guidelines, best
practices, code snippets, ... not ajax security but specific to gwt.
Thanks
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Ron Gutierrez
In addition to Jon's links, here are a few GWT-related blogs written by Ron
Gutierrez, that may be helpful.
http://blog.gdssecurity.com/labs/tag/gwt
Denny
On Tue, Oct 25, 2011 at 6:50 AM, Jon Passki jon@passki.us wrote:
Total blog promotion, but this may help Frederic:
https://www.aspectsecurity.com/blog/analyzing-google-web-toolkit-entry-points/
Cheers,
Jon
On Oct 24, 2011, at 23:45, Lebeau Frederic frederic.lebeau@websurf.be
wrote:
Hello, i m looking for gwt security resources... guidelines, best
practices, code snippets, ... not ajax security but specific to gwt.
Thanks
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
Denny