Shulou(Shulou.com)05/31 Report--

How to map the attack surface of Google Web Toolkit, I believe that many inexperienced people do not know what to do about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

GWTMap

GWTMap is a security audit tool for GWT. With its help, researchers can not only conduct security audit on Google Web Toolkit (GWT)-based applications, but also use GWTMap to map the attack surface of such applications. The main function of this tool is to help researchers extract any service method nodes hidden in the obfuscated client code of modern GWT applications, and try to generate GWT-RPC request sample Payload to interact with these applications.

Dependent environment

The normal operation of the script requires the Python3 environment as well as the argparse and requests libraries. After installing and configuring the Python3 environment, we can install the appropriate dependent components using the following command:

Python-m pip install-r requirements.txt help menu $. / gwtmap.py-husage: gwtmap.py [- h] [--version] [- u]-F [- b] [- c] [- f] [--basic] [--rpc] [--probe] [--svc] [--code] [--color] [--backup [DIR]] [- Q] Enumerates GWT-RPC methods from {hex} .cache.js permutation files Arguments:-h -- help displays help and exits-- version displays the program version number and exits-u,-- url destination GWT address-F,-- file local copy file path-- b,-- base the URL base address of the given combined file-p -- proxy HTTP proxy URL address URL For example:-p http://127.0.0.1:8080-c,-- the cookie required for cookies to access remote resources, for example: 'JSESSIONID=ABCDEF OTHER=XYZABC'-f,-- filter output filtering For example:-f AuthSvc.checkSession-- basic enables HTTP Basic authentication-- rpc generates serialized RPC requests for each method-- probe sends HTTP probe requests to test each method-- svc displays enumerated service information and methods-- code exports to fixed resources. Source 're-formatted' status-- color enables terminal output color highlighting-- backup [DIR] creates a local copy of the acquisition code-Q -- quiet enables silent mode (minimizes output) execution sample:. / gwtmap.py-u "http://127.0.0.1/example/example.nocache.js"-p" http://127.0.0.1:8080"-- rpc tool usage

Enumerate the methods in a remote application through the target's Bootstrap file and create a local backup of the target code (randomly selected):

. / gwtmap.py-u http://192.168.22.120/olympian/olympian.nocache.js-- backup

Enumerate methods in remote applications through specific code combinations:

. / gwtmap.py-u http://192.168.22.120/olympian/C39AB19B83398A76A21E0CD04EC9B14C.cache.js

Enumerate the routing traffic methods for the target application through a HTTP agent:

. / gwtmap.py-u http://192.168.22.120/olympian/olympian.nocache.js-- backup-p http://127.0.0.1:8080

Enumerate the methods in the local file copy of any given combination:

. / gwtmap.py-F test_data/olympian/C39AB19B83398A76A21E0CD04EC9B14C.cache.js

Output filtering for a specific service or method:

. / gwtmap.py-u http://192.168.22.120/olympian/olympian.nocache.js-- filter AuthenticationService.login

RPC Payload is generated for all methods in the filtered service, and the output data is highlighted with color:

. / gwtmap.py-u http://192.168.22.120/olympian/olympian.nocache.js-- filter AuthenticationService-- rpc-- color

RPC requests generated by automated testing (probing) of all filtered service methods:

. / gwtmap.py-u http://192.168.22.120/olympian/olympian.nocache.js-- filter AuthenticationService.login-- rpc-- probe complete use sample

In this example, we generate a RPC request for the "testDetails" method, and then implement an automated probe for the service:

$. / gwtmap.py-u http://192.168.22.120/olympian/olympian.nocache.js-- filter TestService.testDetails-- rpc-- probe _ |\ / _ |\ |\ _ |\ / | |\ / |\ / | _ /\ _ | _ /\ _ _ | _ / _ | version 0.1 [+] Analysing= http://192.168.22.120/olympian/olympian.nocache.jsPermutation: http://192.168.22.120/olympian/4DE825BB25A8D7B3950D45A81EA7CD84.cache.js+ fragment: http://192.168.22.120/ Olympian/deferredjs/4DE825BB25A8D7B3950D45A81EA7CD84/1.cache.js+ fragment: http://192.168.22.120/olympian/deferredjs/4DE825BB25A8D7B3950D45A81EA7CD84/2.cache.js [+] Module Info=GWT Version: 2.9.0Content-Type: text/x-gwt-rpc Charset=utf-8X-GWT-Module-Base: http://192.168.22.120/olympian/X-GWT-Permutation: 4DE825BB25A8D7B3950D45A81EA7CD84RPC Version: 7RPC Flags: 0 [+] Methods Found=-TestService-TestService.testDetails (java.lang.String/2004016611, java.lang.String/2004016611, I, D, java.lang.String/2004016611) POST / olympian/testService HTTP/1.1Host: 192.168.22.120Content-Type: text/x-gwt-rpc Charset=utf-8X-GWT-Permutation: 4DE825BB25A8D7B3950D45A81EA7CD84X-GWT-Module-Base: http://192.168.22.120/olympian/Content-Length: 2627 | 0 | 10 | http://192.168.22.120/olympian/|67E3923F861223EE4967653A96E43846|com.ecorp.olympian.client.asyncService.TestService|testDetails|java.lang.String/2004016611|D|I| param_Bob §param_Smith | §param_ "Im_a_test" §| 1 | 2 | 3 | 5 | 5 | 5 | 5 | 5 | 9 | §32 §| 76.6 §| 10 | HTTP/1.1 200//OK [1, ["Name: param_Bob param_Smith\ nAge: 32\ nWeight: 76.6\ nBio: param_\" Im_a_test\ "\ n"] [+] Summary=Showing 1 play 5 ServicesShowing 1 ServicesShowing 25 Methods finish reading the above content Have you learned how to map the attack surface of Google Web Toolkit? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.