Welcome!

RIA News Desk

Subscribe to RIA News Desk: eMailAlertsEmail Alerts
Get RIA News Desk via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: RIA Developer's Journal

RIA & Ajax: Article

Imperva Discovers Critical Vulnerability In AJAX Technology

Application Defense Center Identifies Major Flaw in Next Generation Web Application Framework

The ADC announced the discovery of a critical vulnerability in DWR (Direct Web Reporting) – a well known open source AJAX library that is incorporated into existing public Web sites. AJAX DWR includes two mechanisms that restrict access to sensitive functions (or “methods”). However, these mechanisms only affect client side code. Thus, an attacker can circumvent these restrictions using commonly available client tools (e.g. an HTTP client proxy) to manually manipulate browser requests. An exploit of this vulnerability can result in multiple damaging outcomes including data theft and denial of service.

This client-side vulnerability can be exploited to launch Denial of Service (DoS) attacks and break into back-end servers and databases.  AJAX is emerging as the new lingua franc for building new generation Web 2.0 applications such as Google Maps. Since AJAX executes a much larger proportion of application logic in the web browser than traditional web applications, it exposes a broader attack surface to client-side exploits used by attackers to target sensitive back-end servers directly.

Mitigating AJAX DWR Forceful Method Invocation risk requires secure code development to eliminate exposed classes that have methods which should not be invoked by the client. The code writing effort varies in complexity depending upon the phase of Web application deployment. Securing applications during initial development is less costly than securing existing applications. Imperva’s SecureSphere Web Application Firewall can be used to accelerate and reduce the cost of risk mitigation – especially for existing Web applications.

The ADC has published a free security advisory that details the DWR vulnerability and how to mitigate attacks. The ADC Security Advisory on the DWR vulnerability is available at: http://www.imperva.com/application_defense_center/papers/web20-ajax-dwr-...

More Stories By RIA News Desk

Ever since Google popularized a smarter, more responsive and interactive Web experience by using AJAX (Asynchronous JavaScript + XML) for its Google Maps & Gmail applications, SYS-CON's RIA News Desk has been covering every aspect of Rich Internet Applications and those creating and deploying them. If you have breaking RIA news, please send it to RIA@sys-con.com to share your product and company news coverage with AJAXWorld readers.

Comments (2) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
ajax news desk 01/03/07 11:04:41 AM EST

The ADC announced the discovery of a critical vulnerability in DWR (Direct Web Reporting), a key underlying technology in the AJAX web application development framework. This client-side vulnerability can be exploited to launch Denial of Service (DoS) attacks and break into back-end servers and databases.

ajax news desk 01/03/07 10:10:27 AM EST

The ADC announced the discovery of a critical vulnerability in DWR (Direct Web Reporting), a key underlying technology in the AJAX web application development framework. This client-side vulnerability can be exploited to launch Denial of Service (DoS) attacks and break into back-end servers and databases.