Is there a way to secure GWT RPC service APIs from vulnerability attacks like Stored cross site scripting?

Question

Is there a way to secure GWT RPC service APIs from vulnerability attacks like Stored cross site scripting?

pthiagarajan opened this issue 7 months ago · comments

pthiagarajan commented 7 months ago

GWT version: 2.5.1
Browser (with version): any
Operating System: Ubuntu/Windows

Description

Is there a way to secure GWT RPC service APIs from vulnerability attacks like Stored site scripting?

Steps to reproduce

GWT RPC calls allow injecting an XSS payload in the request. Service RPC endpoint can be tracked from browser's network tab

Known workarounds

https://www.gwtproject.org/articles/security_for_gwt_applications.html

Links to further discussions

https://www.gwtproject.org/articles/security_for_gwt_applications.html

https://www.digizol.com/2008/09/java-gwt-servlets-web-app-tutorial.html#gwt-servlet-5

Jens Nehlmeier · Answer 1 · Wed Jan 10 2024 22:03:27 GMT+0800 (China Standard Time)

Whenever you render data in your GWT application's UI and that data has been provided by a user, then you should use GWT's SafeHtml / SafeStyles classes to render it. These classes escape the user provided data and make it safe to render. See: https://www.gwtproject.org/doc/latest/DevGuideSecuritySafeHtml.html

GWT-RPC just sends data back and forth and only protects against CSRF, see https://www.gwtproject.org/doc/latest/DevGuideSecurityRpcXsrf.html

Colin Alworth · Answer 2 · Wed Jan 10 2024 23:01:03 GMT+0800 (China Standard Time)

Stored XSS attacks, like other XSS issues are just an encoding problem, and as Jens said, using the correct SafeHtml APIs will mitigate these. The GWT Widget apis generally discourage injecting HTML strings directly, but either encourage passing in plain text, or using the SafeHtml tools to either "sanitize" or "escape" the content to be sure it is correctly encoded.

GWT RPC calls allow injecting an XSS payload in the request. Service RPC endpoint can be tracked from browser's network tab
This isn't true, at least not in a way that is meaningful. GWT-RPC isn't the problem here (nor is storing "bad" data necessarily, subject to your own application's concerns), only how to safely render it when it reaches a client.

Also please note that 2.5.1 is nearly 10 years old - SafeHtml was added in early 2.x, with more widget support added in 2.5, so you should already have support where you need it for this. Nevertheless, we encourage updating to a newer version as possible (GWT 2.11 was released yesterday).

I'm going to close this for now, but this would be better to discuss on the mailing list, or if you want to chat live with other users, check us out on gitter.im.