Search
RSS Feed
Twitter
« ISSD Conference | Main | OWASP NYNJMetro - Pentesting Adobe Flex Applications »
Thursday
May062010

Fuzzing GWT RPC Requests

In a previous post,  I went through the process of parsing GWT RPC requests to determine the method and parameter values sent. In this post I will discuss, GwtParse, a tool that I wrote to automate this process in order to easily determine the values within a GWT RPC payload that can actually be manipulated. GwtParse can be downloaded here but I recommend you continue reading...

Why use this tool?

Fuzzing every delimited value in GWT RPC requests is not practical and produces a lot of unnecessary output. GWT client side code is heavily obfuscated, which makes it difficult to identify all the fuzzable values passed in the request by reviewing the JavaScript. Additionally, there could be values passed in the request that do not necessarily originate from user input. For example, assume there is a custom “User” object which contains a numeric property that indicates a user’s role membership. Manipulation of this value could result in unauthorized access to data or privileged functionality. The tool I wrote gwtparse.py will help identifying the meaningful values in a GWT RPC request so that you can more easily identify security bugs in GWT applications during a Black Box assessment.

gwtparse.py

A command line tool that parses a GWT RPC payload and creates a new payload value with all fuzzable values identified. This new payload value can then be plugged into the web application fuzzer of your choice. The tool has currently only been tested using GWT version 2.0.

The following types can be parsed:

  • Primitive Java Types and Object (ie. Integer, Double, Byte, etc )
  • Strings
  • Arraylist, Vector, LinkedList
  • Arrays
  • Custom Objects ( to a limited extent )

Parsing of custom objects cannot be guaranteed to work correctly in all scenarios as they can be very complex. I created a number of test cases with custom objects, but there is bound to be cases that the current version of my tool cannot handle. I just want to point out a couple key points:

  • Parsing a GWT RPC request is as simple as follows

$ python gwtparse.py -i "5|0|12|http://127.0.0.1:8888/gwt_test/|4E7583E4BED25F58DDD5F1A1D675522A|
com.gwttest.client.GreetingService|greetServer|java.util.ArrayList/3821976829|
com.gwttest.client.CustomObj/427743781|com.gwttest.client.Person/2847577871|
PersonName|java.lang.Integer/3438268394|CustomObjParam1|CustomObjParam2|
CustomObjParam3|1|2|3|4|2|5|6|5|2|7|200|8|7|200|8|6|9|200|10|11|12|10|"

Output from above command:

GWT RPC Payload Fuzz String

5|0|12|http://127.0.0.1:8888/gwt_test/|4E7583E4BED25F58DDD5F1A1D675522A|
com.gwttest.client.GreetingService|greetServer|java.util.ArrayList/3821976829|
com.gwttest.client.CustomObj/427743781|com.gwttest.client.Person/2847577871|
%s|java.lang.Integer/3438268394|%s|%s|%s|1|2|3|4|2|5|6|5|2|7|
%d|8|7|%d|8|6|9|%d|10|11|12|10|

The default output of the script replaces the fuzzable string values with a %s and numeric values with a %d.  This is incredibly useful since Java is a strong typed language and will throw an exception if a string value is passed anywhere the application is expecting an Integer.

  • Tool output can be customized so that the fuzzable values are easily recognized by your favorite fuzzer. This is done with the “-s” option, which surrounds the values with the string/character of your choice.
  • For Burp Suite users, there is the “-b” switch to surround the values using the Burp Intruder Position Value (Section Sign). Note that the Section Sign character is only output to the command-line when run within a terminal that can output UTF-8 values (i.e. Linux, Cygwin). Windows users can add the “-w” or “-a” switches to write or append the output to a text file.
  • Lastly, there is the “-p” switch that displays the request in a human readable format. This can be especially useful in identifying the values which belong to a custom object. I have included an example of this at the end of my post.

The gwtparse.py program simply calls functionality available within my GWTParser object. The GWTParser object can be easily reused by testers within their own python fuzzers or tools. Hopefully, application testers will find the tool useful when tackling a GWT application assessment.

If you find GWT RPC payload strings which are not properly handled by my tool (which I am sure there will be), send an email to rgutierrez at gdssecurity.com and I will work on incorporating a fix for the next version. GwtParse can be downloaded here

Sample output when using the –p Switch to Display GWT RPC Requests in Human Readable Format

Serialized Object:

5|0|12|http://127.0.0.1:8888/gwt_test/|4E7583E4BED25F58DDD5F1A1D675522A|
com.gwttest.client.GreetingService|greetServer|java.util.ArrayList/3821976829|
com.gwttest.client.CustomObj/427743781|com.gwttest.client.Person/2847577871|
PersonName|java.lang.Integer/3438268394|CustomObjParam1|CustomObjParam2|
CustomObjParam3|1|2|3|4|2|5|6|5|2|7|200|8|7|200|8|6|9|200|10|11|12|10|


Stream Version: 5
Flags: 0
Column Numbers: 12
Host: http://127.0.0.1:8888/gwt_test/
Hash: 4E7583E4BED25F58DDD5F1A1D675522A
Class Name: com.gwttest.client.GreetingService
Method: greetServer
# of Params: 2

Parameters:
{'flag': False,
'is_array': False,
'is_custom_obj': True,
'is_list': True,
'subtype': 'com.gwttest.client.Person',
'typename': 'java.util.ArrayList/3821976829',
'values': [<Parameter.Parameter object at 0x7fee4a4c>,
<Parameter.Parameter object at 0x7fee4a6c>]}

{ 'flag': False,
'is_array': False,
'is_custom_obj': True,
'is_list': False,
'typename': 'com.gwttest.client.Person/2847577871',
'values': [200, 'PersonName']}
{ 'flag': False,
'is_array': False,
'is_custom_obj': True,
'is_list': False,
'typename': 'com.gwttest.client.Person/2847577871',
'values': [200, 'PersonName']}

{'flag': False,
'is_array': False,
'is_custom_obj': True,
'is_list': False,
'typename': 'com.gwttest.client.CustomObj/427743781',
'values': [200,
'CustomObjParam1',
'CustomObjParam2',
'CustomObjParam3',
'CustomObjParam1']}


The above “pretty” output shows that the RPC call has two parameters. The first parameter is an ArrayList of Person Objects with two member variables and the second parameter is another object called CustomObj which has five member variables.

Reader Comments (9)

Nice job man.

May 7, 2010 | Unregistered CommenterTopol

That's neat.

I have also been working on a tool to decompile GWT generated javascript, primarily to pen-test a GWT app. So far, I have been able to enumerate all the RPC services in an app. Over the next two weeks, I hope to extract out complete signature of the method. That way, we can automatically identify all services and properly fuzz any and every field in the payload.

The project is hosted at http://code.google.com/p/degwt/ and doesn't require any installation. Its just a bookmarklet that can run from the browser.

I am guessing at some point we can merge the two ideas to generate a unified, more powerful tool. I'll watch your tool and will let you know if I make progress.

thanks!
Sri

May 7, 2010 | Unregistered CommenterSripathi Krishnan

Thanks Sripathi. I am also working on a tool which enumerates all of the service methods in the application by parsing through the javascript. I took a gander at your tool and is looks great. I'm taking a very different approach in order to receive the same outcome though. I would love to talk about our approaches further.

May 7, 2010 | Unregistered CommenterRon Gutierrez

thanks matt

May 7, 2010 | Unregistered CommenterRon Gutierrez

@Ron - Great. How do I reach you? You can send me a note at . at gmail.com, and we can then trade ideas/discuss further.

May 7, 2010 | Unregistered CommenterSripathi Krishnan
Hello Ron, thank you very much... your posts were very useful for me... the Phyton tool also worked very well with v5 of RPC payloads (payload starts with number 5) but now I have to analyze some v7 payloads(payload starts with number 7) and the tool seem not to be compatible with it. Please tell me how can I get information of the v7 payload?? should I see google code? any tip for that? Thank you in advance!! - Felipe.
March 17, 2012 | Unregistered CommenterFelipe
Hi,

I am trying to use gwtparse to fuzz my requests.But looks like its not compatible for Serialization 7 requests.Im using gwt 2.4.Can u tell me an alternative way ?

Also more tutorials on these tools will be helpful.

Thanks.
September 26, 2012 | Unregistered Commenterkp
Hi,

I am trying to use GWTPARSE for fuzzing my appln.But looks like it is compatabile with Serialization 5 (i dnt know the gwt version).I gwt i want to try is 2.4 (serialization 7).Any suggestions on how to perform fuzzing on appln using gwt 2.4?
October 1, 2012 | Unregistered Commenterkp
This tool is not working on latest version of gwt, isn't it ?
July 12, 2016 | Unregistered Commentermumei

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.