By RIA News Desk | Article Rating: |
|
January 3, 2007 01:45 PM EST | Reads: |
12,637 |
The ADC announced the discovery of a critical vulnerability in DWR (Direct Web Reporting) – a well known open source AJAX library that is incorporated into existing public Web sites. AJAX DWR includes two mechanisms that restrict access to sensitive functions (or “methods”). However, these mechanisms only affect client side code. Thus, an attacker can circumvent these restrictions using commonly available client tools (e.g. an HTTP client proxy) to manually manipulate browser requests. An exploit of this vulnerability can result in multiple damaging outcomes including data theft and denial of service.
This client-side vulnerability can be exploited to launch Denial of Service (DoS) attacks and break into back-end servers and databases. AJAX is emerging as the new lingua franc for building new generation Web 2.0 applications such as Google Maps. Since AJAX executes a much larger proportion of application logic in the web browser than traditional web applications, it exposes a broader attack surface to client-side exploits used by attackers to target sensitive back-end servers directly.
Mitigating AJAX DWR Forceful Method Invocation risk requires secure code development to eliminate exposed classes that have methods which should not be invoked by the client. The code writing effort varies in complexity depending upon the phase of Web application deployment. Securing applications during initial development is less costly than securing existing applications. Imperva’s SecureSphere Web Application Firewall can be used to accelerate and reduce the cost of risk mitigation – especially for existing Web applications.
The ADC has published a free security advisory that details the DWR vulnerability and how to mitigate attacks. The ADC Security Advisory on the DWR vulnerability is available at: http://www.imperva.com/application_defense_center/papers/web20-ajax-dwr-...
Published January 3, 2007 Reads 12,637
Copyright © 2007 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
More Stories By RIA News Desk
Ever since Google popularized a smarter, more responsive and interactive Web experience by using AJAX (Asynchronous JavaScript + XML) for its Google Maps & Gmail applications, SYS-CON's RIA News Desk has been covering every aspect of Rich Internet Applications and those creating and deploying them. If you have breaking RIA news, please send it to RIA@sys-con.com to share your product and company news coverage with AJAXWorld readers.
![]() |
ajax news desk 01/03/07 11:04:41 AM EST | |||
The ADC announced the discovery of a critical vulnerability in DWR (Direct Web Reporting), a key underlying technology in the AJAX web application development framework. This client-side vulnerability can be exploited to launch Denial of Service (DoS) attacks and break into back-end servers and databases. |
![]() |
ajax news desk 01/03/07 10:10:27 AM EST | |||
The ADC announced the discovery of a critical vulnerability in DWR (Direct Web Reporting), a key underlying technology in the AJAX web application development framework. This client-side vulnerability can be exploited to launch Denial of Service (DoS) attacks and break into back-end servers and databases. |
- AJAX Sponsor Webcasts Are Now Available at AJAXWorld Website
- i-Technology Viewpoint: Is Web 2.0 the Global SOA?
- AJAX Support In JadeLiquid WebRenderer v3.1
- Five Reasons Why Web 2.0 Matters
- "Real-World AJAX" and "Flex 2.0 & Java" Books Announced by SYS-CON Books
- Web 2.0 News and Wrapping Up "Real-World AJAX" Seminar
- Bill Scott: Real-World AJAX Was a Blast
- AJAX on Rails: An AJAXWorld Interview
- AJAX Rock Stars Gather in New York City To Teach "Real-World AJAX"
- Sixteen Ways of Thinking in Web 2.0