Is there a way to secure GWT RPC service APIs from vulnerability attacks like Stored cross site scripting?
pthiagarajan opened this issue · comments
GWT version: 2.5.1
Browser (with version): any
Operating System: Ubuntu/Windows
Description
Is there a way to secure GWT RPC service APIs from vulnerability attacks like Stored site scripting?
Steps to reproduce
GWT RPC calls allow injecting an XSS payload in the request. Service RPC endpoint can be tracked from browser's network tab
Known workarounds
https://www.gwtproject.org/articles/security_for_gwt_applications.html
Links to further discussions
https://www.gwtproject.org/articles/security_for_gwt_applications.html
https://www.digizol.com/2008/09/java-gwt-servlets-web-app-tutorial.html#gwt-servlet-5
Whenever you render data in your GWT application's UI and that data has been provided by a user, then you should use GWT's SafeHtml / SafeStyles classes to render it. These classes escape the user provided data and make it safe to render. See: https://www.gwtproject.org/doc/latest/DevGuideSecuritySafeHtml.html
GWT-RPC just sends data back and forth and only protects against CSRF, see https://www.gwtproject.org/doc/latest/DevGuideSecurityRpcXsrf.html
Stored XSS attacks, like other XSS issues are just an encoding problem, and as Jens said, using the correct SafeHtml APIs will mitigate these. The GWT Widget apis generally discourage injecting HTML strings directly, but either encourage passing in plain text, or using the SafeHtml tools to either "sanitize" or "escape" the content to be sure it is correctly encoded.
GWT RPC calls allow injecting an XSS payload in the request. Service RPC endpoint can be tracked from browser's network tab
This isn't true, at least not in a way that is meaningful. GWT-RPC isn't the problem here (nor is storing "bad" data necessarily, subject to your own application's concerns), only how to safely render it when it reaches a client.
Also please note that 2.5.1 is nearly 10 years old - SafeHtml was added in early 2.x, with more widget support added in 2.5, so you should already have support where you need it for this. Nevertheless, we encourage updating to a newer version as possible (GWT 2.11 was released yesterday).
I'm going to close this for now, but this would be better to discuss on the mailing list, or if you want to chat live with other users, check us out on gitter.im.