Reg: Service URL manipulation in the request payload

[Jhonson Paulraj]

Hello Team,

I've a question on GWT RPC request payload. We know that request payload has service URL along with other data pertains to the remote method.

the testing team is using burb tool to manipulate the payload and giving a different URL like instead of www.mydomain.com, if we give 'www.google.com'.

1. Would the request be routed to google.com DNS server since the payload has ? 

2. Does GWT RPC make any DNS call to this manipulated URL while processing the request from client ?

3. With manipulated URL in the payload,  Does the request still reach the actual/original endpoint of the service (remote servlet) ?

To my knowledge, the URL in the request payload is not used for invoking the remote method, it is just for reference purpose only.

Kindly let me know how the url in the payload used while processing the client request.

Request Payload:

1. 7|0|8|http://www.mydomain.com:10085/sp/chigo/|E5CFE27DD53BDBE4521FDBFC1A038618|com.google.gwt.logging.shared.RemoteLoggingService|logOnServer|java.util.logging.LogRecord/2492345967|INFO|Taking 45 milliseconds to layout 3932|com.mydomain.gwt.client.Layout|1|2|3|4|1|5|5|6|7|8|V1kCRyY|0|

Note: remote method exposed using RemoteServiceServlet. Request mapping done in web.xml.

Thanks

Jhonson

[Thomas Broyer]

On Thursday, October 12, 2023 at 10:14:01 AM UTC+2 paulraj...@gmail.com wrote:

Hello Team,

I've a question on GWT RPC request payload. We know that request payload has service URL along with other data pertains to the remote method.

the testing team is using burb tool to manipulate the payload and giving a different URL like instead of www.mydomain.com, if we give 'www.google.com'.

1. Would the request be routed to google.com DNS server since the payload has ? 

2. Does GWT RPC make any DNS call to this manipulated URL while processing the request from client ?

3. With manipulated URL in the payload,  Does the request still reach the actual/original endpoint of the service (remote servlet) ?

To my knowledge, the URL in the request payload is not used for invoking the remote method, it is just for reference purpose only.

See details in https://docs.google.com/document/d/1eG0YocsYYbNAtivkLtcaiEE5IOF5u4LUol8-LL0TIKU/edit#heading=h.tgrvjl8bdel

The URL is parsed (https://github.com/gwtproject/gwt/blob/88bc805b563396704d660470240fc6b5eef0533a/user/src/com/google/gwt/user/server/rpc/RemoteServiceServlet.java#L60) but not resolved.

(that moduleBaseUrl value is read at https://github.com/gwtproject/gwt/blob/88bc805b563396704d660470240fc6b5eef0533a/user/src/com/google/gwt/user/server/rpc/impl/ServerSerializationStreamReader.java#L497)

tl;dr: the scheme and authority (and any query string) are actually ignored, and only the path part of the URL is used. The pair of path + the next value in the request payload are used to load the serialization policy used to process the rest of the request. Worst that could happen is a failure to load the serialization policy and falling back to the default serialization policy which would likely cause deserialization of the request (or serialization of the response) to fail.