Welcome!

AJAX & REA Authors: Piram Manickam, Subrahmanya SV, S Sangeetha, Bob Gourley, RealWire News Distribution

Related Topics: AJAX & REA, Open Source

AJAX & REA: Article

Imperva Discovers Critical Vulnerability In AJAX Technology

Application Defense Center Identifies Major Flaw in Next Generation Web Application Framework

The ADC announced the discovery of a critical vulnerability in DWR (Direct Web Reporting) – a well known open source AJAX library that is incorporated into existing public Web sites. AJAX DWR includes two mechanisms that restrict access to sensitive functions (or “methods”). However, these mechanisms only affect client side code. Thus, an attacker can circumvent these restrictions using commonly available client tools (e.g. an HTTP client proxy) to manually manipulate browser requests. An exploit of this vulnerability can result in multiple damaging outcomes including data theft and denial of service.

This client-side vulnerability can be exploited to launch Denial of Service (DoS) attacks and break into back-end servers and databases.  AJAX is emerging as the new lingua franc for building new generation Web 2.0 applications such as Google Maps. Since AJAX executes a much larger proportion of application logic in the web browser than traditional web applications, it exposes a broader attack surface to client-side exploits used by attackers to target sensitive back-end servers directly.

Mitigating AJAX DWR Forceful Method Invocation risk requires secure code development to eliminate exposed classes that have methods which should not be invoked by the client. The code writing effort varies in complexity depending upon the phase of Web application deployment. Securing applications during initial development is less costly than securing existing applications. Imperva’s SecureSphere Web Application Firewall can be used to accelerate and reduce the cost of risk mitigation – especially for existing Web applications.

The ADC has published a free security advisory that details the DWR vulnerability and how to mitigate attacks. The ADC Security Advisory on the DWR vulnerability is available at: http://www.imperva.com/application_defense_center/papers/web20-ajax-dwr-...

More Stories By RIA News Desk

Ever since Google popularized a smarter, more responsive and interactive Web experience by using AJAX (Asynchronous JavaScript + XML) for its Google Maps & Gmail applications, SYS-CON's RIA News Desk has been covering every aspect of Rich Internet Applications and those creating and deploying them. If you have breaking RIA news, please send it to RIA@sys-con.com to share your product and company news coverage with AJAXWorld readers.

Comments (2) View Comments

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


Most Recent Comments
ajax news desk 01/03/07 11:04:41 AM EST

The ADC announced the discovery of a critical vulnerability in DWR (Direct Web Reporting), a key underlying technology in the AJAX web application development framework. This client-side vulnerability can be exploited to launch Denial of Service (DoS) attacks and break into back-end servers and databases.

ajax news desk 01/03/07 10:10:27 AM EST

The ADC announced the discovery of a critical vulnerability in DWR (Direct Web Reporting), a key underlying technology in the AJAX web application development framework. This client-side vulnerability can be exploited to launch Denial of Service (DoS) attacks and break into back-end servers and databases.

Cloud Expo Breaking News
Cloud computing is more than a buzz-phrase it’s a transformative IT paradigm shift. The emphasis in the cloud is on elasticity, scalability, agility and open. Not just open standards but open APIs and open source. The delivery of software is also going through a paradigm shift. Open source software was often a commoditization of a market leader; Unix to Linux or Oracle to MySQL what’s changing is that the iterative nature, user context and the motto of releasing early and often are driving real ...
In an ideal developer/systems administrator’s world, most applications would deploy seamlessly to multiple platforms and scale elastically with minimal effort bringing the unprecedented agility of the cloud within immediate reach of developer teams and IT organizations. OpenStack, a RackSpace and NASA initiative, is now managed by an independent foundation and is supported by multiple vendors. It defines APIs for compute, storage, networking, services, monitoring, and additional infrastructure...
Storage and Archive offerings are now exploding on the market. From end-user mobile devices to company tactical level, the cloud has become a black hole for every kind of data. But what are the risks, and what are the real needs? In his session at the 12th International Cloud Expo, Alexandre Morel, Cloud Product Manager & Evangelist at OVH.com, will answer questions such as: How to develop a strategy to use those offers as a base to develop mid and long-term value? Should companies trust th...
Organizations across the world are increasingly starting to see the benefits of moving more and more services to the cloud. The focus on the cost-saving potential of cloud is rapidly shifting to completely transforming the business with cloud. As organizations are investing enormous sums on technology they are starting to realize that in order to maximize the return on investment and accelerate the business transformation process the first area of focus should be people. By ensuring the organiza...
These days, it seems that every cloud provider claims that cloud is safer than your traditional datacenter. Is it though? In his General Session at 12th Cloud Expo | Cloud Expo New York, McAfee expert Rishi Bhargava will help you explore and address the security challenges and considerations for public cloud (IaaS, PaaS and SaaS).
Companies around the world are collecting massive amounts of data everyday that’s sitting around and not being utilized. Take for example the fact that companies collect demographic and location-based data via mobile devices all the time, but have to figure out how to monetize that data. In his session at the 12th International Cloud Expo, Jason Hoffman, CTO & Founder of Joyent, will examine the state of Big Data, taking a look at what we're doing now to discussing what's on the horizon, as co...
If zettabytes of data exist, why is less than 1% of the world’s data being analyzed today? Seasoned entrepreneur and startup CEO Radhika Subramanian believes that the inability to analyze and gain value from Big Data is that organizations are taking a services-centered approach. As the title of the session implies, Subramanian believes that the data needs to do the talking, not armies of analysts searching and querying databases. Her company has developed high-speed, advanced algorithms to autom...
At pennies per virtual machine-hour, the economics of cloud computing are both compelling and daunting to replicate. Whether you are building your own cloud infrastructure, building a public cloud or choosing a cloud service, there are key strategy and technology decisions that make the difference between success and failure. This session will share industry best practices for deploying cloud infrastructure that maximize the benefits of cloud economics, agility and interoperability. Learn how...
Need to scale your data tier? The foundation of every application is the database layer, and today application architects have more choices than ever. With these choices come new questions: Which database technology is best for your application? How can your application take advantage of Big Data technology? Can you run your relational database at Big Data scale? What does it take to implement a comprehensive data infrastructure, including your core database, incorporating SQL, No SQL and Big Da...
SYS-CON Events announced today that Zyrion Inc., the leading provider of Cloud and IT Monitoring software solutions, has been named “Entrance Carpet Sponsor” of SYS-CON's 12th International Cloud Expo, which will take place on June 10–13, 2013, at the Javits Center in New York City, New York. Zyrion is the leading provider of integrated Cloud and Network monitoring software for distributed and complex datacenter environments, and offers the most scalable monitoring platform in the industry. Zyr...