GWT RPC call from URL

I have a servlet that sends emails when a form is submitted, and it works fine. This is done calling from client-side the sendMail() that is implemented on sendMailServiceImpl.

My question is about security: is there a way that someone put a specific URL and those emails are sent? Something like http://myproject.appspot.com/myproject/sendmail?name=aaa&[email protected]

<servlet>
    <servlet-name>sendMailServiceImpl</servlet-name>
    <servlet-class>com.gw.myproject.server.SendMailServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>sendMailServiceImpl</servlet-name>
    <url-pattern>/myproject/sendMail</url-pattern>
</servlet-mapping>

Answer

It is possible, that someone send data via GWT-RPC. There are some attacking scenarios decribed by the owasp

GWT-RPC uses a POST-request. The Servlet will not listen to GET. There are some mechanism included, that will require some knowlege about the request (strongname and serialization policy) and the protocol itself.

But if someone captures a request, he also can send a request.

The request is secured against XSS because of the same-origin-policy. But this will not help against requests from plain java or python or browser which are startet with --disable-web-security

Fore some more details: GWT RPC data format

Leave a Reply

Your email address will not be published. Required fields are marked *