Digital Edition

SYS-CON.TV
AJAX & Security: Vulnerability in DWR Security Logic Identified
Can potentially be exploited to launch DoS attacks and break into back-end servers

(SYS-CON Media) –  A significant vulnerability in the security logic of a well known open source AJAX library called DWR has been identified by the Imperva Application Defense Center.

According to Amichai Shulman (pictured), CTO of Imperva and head of the Imperva Application Defense Center (ADC):

"AJAX DWR includes two mechanisms that restrict access to sensitive functions (or “methods”). However, these mechanisms only affect client side code. Thus, an attacker can circumvent these restrictions using commonly available client tools (e.g. an HTTP client proxy) to manually manipulate browser requests. An exploit of this vulnerability can result in multiple damaging outcomes including data theft and denial of service."
Shulman gives an example of a sensitive Java function that may be accessed by an exploit of the AJAX DWR Restricted Method Vulnerability: it is called “Java clone”.

"Although access to Java clone is generally undesirable," he explains, "the DWR Forceful Method Invocation vulnerability can be exploited to construct requests that repeatedly invoke this function. Since server memory space is allocated for each Java clone invocation, a steep increase in server resource usage and denial of service conditions follow. The Imperva Application Defense Center has implemented tests confirming this result. Forceful access to other sensitive Web site functions can lead to alternative outcomes such as data theft."

Mitigating AJAX DWR Forceful Method Invocation risk, Shulman adds, requires secure code development to eliminate exposed classes that have methods which should not be invoked by the client:

"The code writing effort varies in complexity depending upon the phase of Web application deployment. Securing applications during initial development is less costly than securing existing applications. Imperva’s SecureSphere Web Application Firewall can be used to accelerate and reduce the cost of risk mitigation – especially for existing Web applications."
"Whenever possible,: Shulman concludes, "Web application security logic should be implemented in server code. Server logic is less accessible to attackers and therefore less vulnerable."

About RIA News Desk
Ever since Google popularized a smarter, more responsive and interactive Web experience by using AJAX (Asynchronous JavaScript + XML) for its Google Maps & Gmail applications, SYS-CON's RIA News Desk has been covering every aspect of Rich Internet Applications and those creating and deploying them. If you have breaking RIA news, please send it to RIA@sys-con.com to share your product and company news coverage with AJAXWorld readers.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

So DWR is "easy Ajax for Java"? It seems to allow you to export your Java code to a browser and include the results in your pages.

So DWR is "easy Ajax for Java"? It seems to allow you to export your Java code to a browser and include the results in your pages.




ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

ChatOps is an emerging topic that has led to the wide availability of integrations between group cha...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an over...
The cloud era has reached the stage where it is no longer a question of whether a company should mig...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know ...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and ...
The need for greater agility and scalability necessitated the digital transformation in the form of ...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting ch...
While some developers care passionately about how data centers and clouds are architected, for most,...
"Since we launched LinuxONE we learned a lot from our customers. More than anything what they respon...
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every ...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily ...
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - w...
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Ser...
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is...
We are given a desktop platform with Java 8 or Java 9 installed and seek to find a way to deploy hig...
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis too...
"Cloud4U builds software services that help people build DevOps platforms for cloud-based software a...
The question before companies today is not whether to become intelligent, it’s a question of how and...
Kubernetes is an open source system for automating deployment, scaling, and management of containeri...