GWT and Cross Site Scripting - Isn't the "X-GWT-Permutation" header enough?

[Sripathi Krishnan]

I have read the discussion at http://groups.google.com/group/google-web-toolkit/web/security-for-gwt-applications and follow it completely. The general recommendation to prevent Cross Site Scripting is to duplicate the session id in the http request payload. Doing that takes some effort, and I don't want to do it unless absolutely neccessary..

When I went through the code for GWT's RemoteServiceServlet, I see that it checks for the presence of a HTTP header "X-GWT-Permutation", and fails the service if absent.

I thought about it for some time, and came to the conclusion that the http header alone should be sufficient to prevent cross site scripting.

The only way that header can be set is via a XmlHttpRequest. A request originating from a <script> , <iframe>, <img> <form> tags is not going to be able to set that header. And an XmlHttpRequest originating from a different domain is not going to work due to Same Origin Policy..

Question - Is this conclusion correct? Has anybody yet found a way to get around the http header and make a XSS attack to a GWT RPC Service?

thanks!
--Sri

[Diego Lovison]

in witch class you see this "When I went through the code for GWT's

RemoteServiceServlet, I see that it checks for the presence of a HTTP

header "X-GWT-Permutation", and fails the service if absent. " ?

On 16 set, 11:55, Sripathi Krishnan <sripathi.krish...@gmail.com>
wrote:
> I have read the discussion athttp://groups.google.com/group/google-web-toolkit/web/security-for-gw...

> follow it completely. The general recommendation to prevent Cross Site
> Scripting is to duplicate the session id in the http request payload. Doing
> that takes some effort, and I don't want to do it unless absolutely
> neccessary..
>
> When I went through the code for GWT's RemoteServiceServlet, I see that it
> checks for the presence of a HTTP header "X-GWT-Permutation", and fails the
> service if absent.
>
> I thought about it for some time, and came to the conclusion that the http
> header alone should be sufficient to prevent cross site scripting.
>
> The only way that header can be set is via a XmlHttpRequest. A request
> originating from a <script> , <iframe>, <img> <form> tags is not going to be
> able to set that header. And an XmlHttpRequest originating from a different
> domain is not going to work due to Same Origin Policy..
>

> *Question* - Is this conclusion correct? Has anybody yet found a way to get

[Sripathi Krishnan]

1) The client class RpcRequestBuilder sets the following headers in the doFinish() method --

  protected void doFinish(RequestBuilder rb) {
    rb.setHeader(STRONG_NAME_HEADER, GWT.getPermutationStrongName());
    rb.setHeader(MODULE_BASE_HEADER, GWT.getModuleBaseURL());
  }

2) On the server side, the class AbstractRemoteServiceServlet defines the method getPermutationStrongName()..
protected final String getPermutationStrongName() {
    return getThreadLocalRequest().getHeader(STRONG_NAME_HEADER);
  }


3) Then, in RemoteServiceServlet, in the processCall() method, there is a check like this -
if (getPermutationStrongName() == null) {
      throw new SecurityException("Blocked request without GWT permutation header(XSRF attack?)");
}

(3) is a bit confusing to me. It was definitely there in an older version of RemoteServiceServlet (I think GWT 1.6?). But the current "in-trunk" version of RemoteServiceServlet doesn't have that check. Instead, that check has been moved to another class RpcServlet, which has been marked as experimental.

GWT does seem to folllow the "use a custom header to prevent XSRF attack" techique. Question is - Is it enough?

--Sri

2009/9/16 Diego Lovison <diegol...@gmail.com>