This is a product of GWT??™s unique
compiled architecture, which is different from the usual proxy style of other server AJAX
frameworks. Once GWT compiles an application, the results are JavaScript and HTML
files, which do not require any sort of middleware proxy. This process can be a problem
for developers who want sensitive methods to remain hidden. However, it is not as large
a benefit to attackers as you might think. This is because, instead of normal method
names, all the method names in JavaScript compiled by GWT appear obfuscated. For
example, a typical method name in GWT JavaScript is ab or vF instead of the typical
doLogin or sensitiveMethod. Therefore, while all methods may be exposed to an attacker,
they will not be in a form that can be easily read.
As is the case with most other frameworks, GWT has issues with CSRF. GWT offers
no built-in protections for web applications against CSRF. This means that developers
will need to build their own protections into their applications.
The process for determining whether a GWT application is vulnerable to CSRF
attacks is similar to that of other frameworks. An attacker views HTTP GET and POST
requests to a GWT web application during normal usage.
Pages:
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330