Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

GWT Java Deserialization: Unpatched and Unauthenticated

Watch our exclusive livestream with Ben Lincoln, Managing Principal at Bishop Fox, to learn about GWT web application vulnerabilities, exploitation strategies, and security enhancement recommendations.

Imagine hearing about an unpatched, eight-year-old vulnerability in a popular, open-source web application framework originally developed by Google. Most offensive security professionals would likely assume it was an unfounded rumor. At a bare minimum, the developers must have updated documentation like “getting started” tutorials to indicate the inherent danger of using vulnerable features rather than highlighting the application’s functionality. Alternatively, the vulnerable framework features could have been marked as deprecated or the framework documentation could offer suggestions for replacing vulnerable code with updated alternatives.

It may seem hard to believe, but this is not just a rumor. Despite being openly discussed in 2015 and 2023 amongst the security community, the vulnerability in GWT (originally “Google Web Toolkit or sometimes referred to as “GWT Web Toolkit”) exists and could expose application owners to server-side code execution by unauthenticated attackers.

Join us for an exclusive livestream with offensive security expert Ben Lincoln as he unveils his groundbreaking research on the GWT vulnerability. Ben will share his expert knowledge on GWT, enhanced classes, and exploiting a vulnerable GWT application. Most importantly, he will show you how to determine if your GWT application is vulnerable and provide strategies to enhance your organization’s web application security.

This training session is designed to strengthen your offensive security skills when it comes to securing web applications. Discover the key to unlocking invaluable insights on:

  • The unique vulnerability in GWT and why it matters for improved web application security
  • How to exploit a vulnerable GWT web application and set up an intentionally vulnerable GWT web application to test against
  • Assessing vulnerabilities in GWT and developing effective mitigations
Ben Lincoln Headshot Managing Senior Security Consultant Bishop Fox

About the speaker, Ben Lincoln

Managing Principal

Ben Lincoln is a Managing Principal at Bishop Fox and focuses on application security. He has extensive experience in network penetration testing, red team activities, white-/black-box web/native application penetration testing, and exploit development. Prior to joining Bishop Fox, Ben was a security consultant with NCC Group, a global information assurance consulting organization. He also previously worked at a major retail corporation as a senior security engineer and a senior systems engineer. Ben delivered presentations at major security conferences, including "A Black Path Toward the Sun" at Black Hat USA 2016. Ben is OSCP-certified and has released several open-source exploit tools.

More by Ben

Extend Your Knowledge

Check out these related resources.

Pwing the Domain with Silver Framework with purple and black background.
Livestream

Pwning the Domain with Sliver Framework

Senior security expert Jon Guild demonstrates how to use the Sliver C2 framework to develop advanced offensive security skills. Arm yourself with the knowledge and skills of enumeration, lateral movement, and escalation techniques from first-hand experience in a vulnerable lab environment.

Learn More
Training session title: Swagger Jacker Training about improved auditing of OpenAPI Definition Files with the headshot os security consultant Tony West, a Bishop Fox adversarial operator.
Livestream

Swagger Jacker: Improved Auditing of OpenAPI Definition Files

Discover the power of Swagger Jacker, an open-source audit tool designed to improve inspection of unintentionally exposed OpenAPI definition files for penetration testers.

Learn More
Black background with purple neon, turquoise, and white letters. Photo of speaker, Tom Hudson.
Livestream

Tool Talk: jsluice

Tune in to the eleventh episode of our Tool Talk series to hear Tom Hudson speak about jsluice, an open-source, Go package and command-line tool used to extract information from JavaScript files and code.

Learn More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.