If these requests do not contain
any secret values, such as repeating the JSESSIONID in the body of the request such as
DWR, then the web application is vulnerable to a CSRF attack. However, while GWT
does not offer built-in CSRF protections, Google has made available a document detailing
GWT??™s susceptibility to CSRF as well as ways for web application developers to protect
their applications against common security issues such as CSRF (see http://groups
.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications).
For more information on CSRF attacks, refer to Chapter 4.
Chapter 7: AJAX Framework Exposures 183
In addition to CSRF, GWT web applications are also susceptible to JavaScript hijacking
attacks, due to GWTs usage of JavaScript Object Notation (JSON) for communication
between the client and server. Fortunately for developers, by default GWT uses the HTTP
POST method to submit requests to the server. This limits the exposure of GWT web
applications to JavaScript hijacking attacks. However, it should be noted that it is trivial
to change the GWT applications to use the HTTP GET method to submit requests. If they
decide to use the HTTP GET method, developers need to realize that they must implement
JavaScript hijacking defenses into their applications; otherwise, they will be vulnerable.
Pages:
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331