Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

GWT Java Deserialization: Unpatched and Unauthenticated

Watch our exclusive livestream with Ben Lincoln, Managing Principal at Bishop Fox, to learn about GWT web application vulnerabilities, exploitation strategies, and security enhancement recommendations.

Imagine hearing about an unpatched, eight-year-old vulnerability in a popular, open-source web application framework originally developed by Google. Most offensive security professionals would likely assume it was an unfounded rumor. At a bare minimum, the developers must have updated documentation like “getting started” tutorials to indicate the inherent danger of using vulnerable features rather than highlighting the application’s functionality. Alternatively, the vulnerable framework features could have been marked as deprecated or the framework documentation could offer suggestions for replacing vulnerable code with updated alternatives.

It may seem hard to believe, but this is not just a rumor. Despite being openly discussed in 2015 and 2023 amongst the security community, the vulnerability in GWT (originally “Google Web Toolkit or sometimes referred to as “GWT Web Toolkit”) exists and could expose application owners to server-side code execution by unauthenticated attackers.

Join us for an exclusive livestream with offensive security expert Ben Lincoln as he unveils his groundbreaking research on the GWT vulnerability. Ben will share his expert knowledge on GWT, enhanced classes, and exploiting a vulnerable GWT application. Most importantly, he will show you how to determine if your GWT application is vulnerable and provide strategies to enhance your organization’s web application security.

This training session is designed to strengthen your offensive security skills when it comes to securing web applications. Discover the key to unlocking invaluable insights on:

  • The unique vulnerability in GWT and why it matters for improved web application security
  • How to exploit a vulnerable GWT web application and set up an intentionally vulnerable GWT web application to test against
  • Assessing vulnerabilities in GWT and developing effective mitigations

Ben Lincoln Headshot Managing Senior Security Consultant Bishop Fox

About the speaker, Ben Lincoln

Managing Principal

Ben Lincoln is a Managing Principal at Bishop Fox and focuses on application security. He has extensive experience in network penetration testing, red team activities, white-/black-box web/native application penetration testing, and exploit development. Prior to joining Bishop Fox, Ben was a security consultant with NCC Group, a global information assurance consulting organization. He also previously worked at a major retail corporation as a senior security engineer and a senior systems engineer. Ben delivered presentations at major security conferences, including "A Black Path Toward the Sun" at Black Hat USA 2016. Ben is OSCP-certified and has released several open-source exploit tools.

More by Ben

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.