1

I have a servlet that sends emails when a form is submitted, and it works fine. This is done calling from client-side the sendMail() that is implemented on sendMailServiceImpl.

My question is about security: is there a way that someone put a specific URL and those emails are sent? Something like http://myproject.appspot.com/myproject/sendmail?name=aaa&email=aa@aa.com

<servlet>
    <servlet-name>sendMailServiceImpl</servlet-name>
    <servlet-class>com.gw.myproject.server.SendMailServiceImpl</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>sendMailServiceImpl</servlet-name>
    <url-pattern>/myproject/sendMail</url-pattern>
</servlet-mapping>
  • If email is a request parameter why wouldn't that be possible? The answer to your question is probably yes but have you at least tried it? – Abdullah Jibaly Sep 17 '13 at 19:28
  • I have and I get no-found error. I didn't know if it is because I am typing the wrong address or if it is forbidden. –  Sep 17 '13 at 19:30
  • Probably not as url parameters, but in the payload somehow. – AnAmuser Sep 17 '13 at 19:32
  • Take a valid request (you can use Chrome inspector and see it in the Network tab of devtools), modify it, and see if it still works. – Abdullah Jibaly Sep 17 '13 at 19:34
  • Your URL looks like a HTTP GET request. I believe GWT servlets use POST requests by default. You should make POST requests, and look at this article for how to interface with the GWT RPC method: http://stackoverflow.com/questions/6135590/gwt-rpc-data-format – Churro Sep 17 '13 at 19:46

1 Answers1

2

It is possible, that someone send data via GWT-RPC. There are some attacking scenarios decribed by the owasp

GWT-RPC uses a POST-request. The Servlet will not listen to GET. There are some mechanism included, that will require some knowlege about the request (strongname and serialization policy) and the protocol itself.

But if someone captures a request, he also can send a request.

The request is secured against XSS because of the same-origin-policy. But this will not help against requests from plain java or python or browser which are startet with --disable-web-security

Fore some more details: GWT RPC data format

Community
  • 1
  • 1
Christian Kuetbach
  • 15,850
  • 5
  • 43
  • 79