0

I would like to analyze the authentication function of a given GWT web application. When authenticating with my credentials, I could identify that my credentials are sent via websocket in form of a binary blob. This most certainly is a serialized GWT object. The authentication seems to follow a protocol that involves 3-4 messages exchanged with the server-side.

Hence, I strive to understand how the client-side transforms my textual credentials (username / password) into this binary blob. Subsequently, I would like to understand how I can deserialize messages coming from the server in order to get a better idea of the messages exchanged and hence the protocol.

user1192748
  • 101
  • Iā€™m voting to close this question because it is basically asking how to reverse engineer an application or protocol - and it just happens that the protocol is used to transport credentials. There is [reverseengineering.se] for this. ā€“  Oct 20 '23 at 12:29
  • Is there a way to transfer the question over there or should I open it there from scratch? ā€“  Oct 20 '23 at 12:33

1 Answers1

0

After further investigation of the protocol, it seems like there is no pbject serialization involved. Instead, the application creates a websocket and establishes a AES-CBC encrypted channel. Hence, the binary blobs that I was seeing are encrypted messages.

user1192748
  • 101