Billy Hoffman is a wild man when it comes to exploiting JavaScript and HTTP. Watching him twiddle the bits with Firebug was a pleasure. But this talk was more about Ajax security (and really, Browser/Webapp security) than GWT security.
Security is really about the nitty gritty — dusty corners of technology that can be exploited to subvert an app. As such I might buy his book. It helps to have a big list of holes and tools for exploiting them. But in Billy’s own words "these attacks are nothing new. They’ve been around for years. With Ajax, people are just finding new ways to screw up."
Most of the Ajax security issues are really about having too much state and logic on the client side. GWT, if anything, hides the details (see here and here about leaky business logic) and makes writing code on the client side so much easier (right?) that you are likely to have more state and logic on the server side.
Some good things out of the talk:
- don’t make your web services API too granular.
- be careful of control logic DOS attacks, put control logic on server
- use locking on the server to prevent race conditions
- Be careful of third party widgets that can override the logic of other widgets.
Also, using a google gears worker thread, that continues running even after a tab is closed, injecting stuff into the SQLLite DB, you can fill up a 20GB hard drive in under an hour.
One thing I hadn’t come across was the technique to make JSON safer, i.e. preventing JSON from being executed via a <script src=""> the way to do that is using the following:
for (;;); /* rest of JSON message */
Some quotes from Billy:
"SQL injection and cross site scripting is rampant, but exploiting applications is even easier and you can do it with just a browser."
"Ajax provides an increased attack surface."
