| .. | ||
| README.md | ||
Google Web Toolkit
Google Web Toolkit (GWT), also known as GWT Web Toolkit, is an open-source set of tools that allows web developers to create and maintain JavaScript front-end applications using Java. It was originally developed by Google and had its initial release on May 16, 2006.
Summary
Tools
- FSecureLABS/GWTMap - GWTMap is a tool to help map the attack surface of Google Web Toolkit (GWT) based applications.
- GDSSecurity/GWT-Penetration-Testing-Toolset - A set of tools made to assist in penetration testing GWT applications.
Methodology
-
Enumerate the methods of a remote application via it's bootstrap file and create a local backup of the code (selects permutation at random):
./gwtmap.py -u http://10.10.10.10/olympian/olympian.nocache.js --backup -
Enumerate the methods of a remote application via a specific code permutation
./gwtmap.py -u http://10.10.10.10/olympian/C39AB19B83398A76A21E0CD04EC9B14C.cache.js -
Enumerate the methods whilst routing traffic through an HTTP proxy:
./gwtmap.py -u http://10.10.10.10/olympian/olympian.nocache.js --backup -p http://127.0.0.1:8080 -
Enumerate the methods of a local copy (a file) of any given permutation:
./gwtmap.py -F test_data/olympian/C39AB19B83398A76A21E0CD04EC9B14C.cache.js -
Filter output to a specific service or method:
./gwtmap.py -u http://10.10.10.10/olympian/olympian.nocache.js --filter AuthenticationService.login -
Generate RPC payloads for all methods of the filtered service, with coloured output
./gwtmap.py -u http://10.10.10.10/olympian/olympian.nocache.js --filter AuthenticationService --rpc --color -
Automatically test (probe) the generate RPC request for the filtered service method
./gwtmap.py -u http://10.10.10.10/olympian/olympian.nocache.js --filter AuthenticationService.login --rpc --probe ./gwtmap.py -u http://10.10.10.10/olympian/olympian.nocache.js --filter TestService.testDetails --rpc --probe