2

We build a GWT app (using gwt-maven-plugin) resulting in a .war file. Currently this .war file contains a file called hosted.html, which is used to run in development (née hosted) mode, when query parameter gwt.codesvr=... is specified.

Is there a security risk in having this the .war file in production, or is there another reason to make sure this file does not end up in the .war file?

If so, what is the simplest way to do so?

Thanks!

MarnixKlooster ReinstateMonica
  • 9,640
  • 14
  • 54
  • 108

1 Answers1

3

The GWT dev plugin requires the webserver+codeserver pair of host+port to be whitelisted so there's absolutely no security risk in deploying hosted.html. The benefit of deploying it is that you can debug your app with your production server.

Note: that necessary whitelisting is to prevent “XSS triggered by a simple query-string parameter”. An attacker could otherwise make you run a trusted GWT app with their own code server.

Thomas Broyer
  • 64,353
  • 7
  • 91
  • 164
  • Thanks! Could you clarify a bit more (and/or point to documentation on this point)? What host+port needs to be whitelisted? From where to where is a network connection set up, when using the GWT dev plugin? If I navigate to http://example.com/bank/gwtapp?gwt.codesvr=127.0.0.1:9997 (so that my browser runs that site's hosted.html), and run a local 'code server', what additional info am I going to get from that site? – MarnixKlooster ReinstateMonica Mar 22 '13 at 09:11
  • When doing this, the GWT Dev Plugin will ask you to whitelist "example.com:80 → 127.0.0.1:9997" before it actually starts. This prevents an attacker to direct you into using a trusted webapp with their code server (that would be the equivalent of an XSS, triggered by a simple query-string parameter). – Thomas Broyer Mar 22 '13 at 09:19
  • OK, thanks for clearing that up. But the concern here is actually the other way around: I should not be able to attach a debugger to bank/gwtapp to debug through that GWT-Java code, or get any other additional information out of that GWT app. Does `?gwt.codesvr=...` allow me (as attacker) to do something like that? – MarnixKlooster ReinstateMonica Mar 22 '13 at 16:48
  • An "attacker" could run its own Java code instead of your app, but he could do the same by other means with JS (open the Dev Tools and do whatever you want with the page, and/or go through a filtering HTTP proxy such as Fiddler2). The only way to "debug your code" would be to **have** your code in the first place and run a code server with it. – Thomas Broyer Mar 22 '13 at 19:15