Unlocking the Toolkit: Attacking Google Web Toolkit Applications

ShmooCon VII - 2011

Presented by: Ron Gutierrez
Date: Saturday January 29, 2011
Time: 11:00 - 12:00
Location: Bring It On room
Track: Bring It On!

The Google Web Toolkit (GWT) provides developers with a framework to easily create Rich Internet Applications that use AJAX. The beauty of GWT lies in the ability to write client side components in Java that get automatically compiled into optimized browser Javascript. Once deployed, this client side code has the ability to perform remote procedure calls to all implemented GWT RPC methods.

From an attacker's perspective, GWT introduces several problems. Most notably, GWT RPC request use a custom serialization protocol which renders all common web application scanners useless for testing. Additionally, GWT client side code is heavily optimized and obfuscated making reverse engineering difficult. In short, these problems have historically made testing GWT applications a tedious and manual process - until now.

This presentation will discuss a collection of tools and techniques that can be used to efficiently perform GWT applications security assessments. The talk will include live demonstrations of how to easily:

Ron Gutierrez

Ron Gutierrez is a security engineer at Gotham Digital Science where he specializes in dynamic application assessments and security code reviews. Ron is also a frequent contributor to the GDS Security Blog: http://www.gdssecurity.com/l/b/


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats