We all heard about vulnerability scanners such as Qualys and Acunetix and how they’re at the forefront of security! Right until they hit a website created using the Google Web Toolkit otherwise known as GWT.
People have even raised the issue that GWT built apps are not supported by Acunetix as is shown in this issue. Poor thing has no replies and is date from last year. Yes, this is how much Acunetix cares.
Qualys has no mention on GWT support, but I can assure all that they do not have any support. Mainly because I developed a large GWT web app and we tried scanning it with Qualys and it fails numerous times. It cannot even get past the log in page. Issues were raised like months ago and it seems they’re struggling.
Why is this bad?
Well according to InfoSecurity Magazine most open-source frameworks have security vulnerabilities. Most get used in mission critical applications and the user or company may not know that vulnerabilities exists nor if new versions were released that fixed those. This being said, according to InfoSecurity Magazine Google Web Toolkit was downloaded 17.7 million times with known vulnerabilities and this was dated in April 2012. So that means GWT version 2.4.0 has the vulnerabilities and maybe people should read the changelog of release candidate 2.5.0.