The Google Web Toolkit (GWT) produces some of the slickest web-based applications out there; it’s easy to understand why it has been gathering popularity. But there’s obviously more to writing a secure application than making the UI nice and shiny. The framework’s functionality is not limited to GUI controls - it also has significant support for remote procedure calls. The browser-side code is implemented entirely in JavaScript that the GWT generates from developer-written Java code. While GWT RPC can be implemented securely, many developers either rely on the JavaScript obfuscation, or don’t realize how their Java code is going to be split between the server & client. Either way, insecure GWT remoting is very common.
This presentation will demonstrate how to exploit common vulnerabilities in GWT applications, particularly with RPC functionality. Non-human readable format of the JavaScript makes penetration testing GWT applications very time consuming. To aid with testing, the presenters are releasing REGWT, a tool to reverse engineer GWT applications. It will allow a pen tester to map out GWT RPC methods that would otherwise be hidden and easily test them for various vulnerabilities.
Trustwave David Byrne is a Senior Security Consultant within the Application Security practice at Trustwave's SpiderLabs. SpiderLabs is the advanced security team responsible for Penetration Testing, Application Security, and Incident Response for Trustwave's clients. David has been involved with information security for a decade. Before Trustwave, he was the Security Architect at Dish Network. In 2008, he released Grendel (grendel-scan.com), an open source web application security scanner. David frequently presents at security events including DEFCON, Black Hat, Toorcon, SANS, and OWASP AppSec.
Trustwave Charles Henderson is the Director of Application Security Services at Trustwave's SpiderLabs. He has been in the information security industry for over fifteen years. His team specializes in application security including application penetration testing, code review, and training in secure development techniques. The team's clients range from the largest of the Fortune lists to small and midsized companies interested in improving their application security posture. Charles routinely speaks at various conferences around the world on various subject matters relating to application security. Charles's team of deviants can be found at most Black Hat events where alcohol is served.