Immo Huneke wrote: A well written article, an ingenious solution to a real problem often encountere...
Jan. 6, 2009 08:14 AM
|
 |
 |
|
|
|
YOUR FEEDBACK
Did you read today's front page stories & breaking news?
SYS-CON.TV
|
TOP THREE LINKS YOU MUST CLICK ON AJAX & Security AJAX & Security: Vulnerability in DWR Security Logic Identified
Can potentially be exploited to launch DoS attacks and break into back-end servers
By: RIA News Desk
Jan. 8, 2007 06:15 PM
"AJAX DWR includes two mechanisms that restrict access to sensitive functions (or “methods”). However, these mechanisms only affect client side code. Thus, an attacker can circumvent these restrictions using commonly available client tools (e.g. an HTTP client proxy) to manually manipulate browser requests. An exploit of this vulnerability can result in multiple damaging outcomes including data theft and denial of service."Shulman gives an example of a sensitive Java function that may be accessed by an exploit of the AJAX DWR Restricted Method Vulnerability: it is called “Java clone”. "Although access to Java clone is generally undesirable," he explains, "the DWR Forceful Method Invocation vulnerability can be exploited to construct requests that repeatedly invoke this function. Since server memory space is allocated for each Java clone invocation, a steep increase in server resource usage and denial of service conditions follow. The Imperva Application Defense Center has implemented tests confirming this result. Forceful access to other sensitive Web site functions can lead to alternative outcomes such as data theft." Mitigating AJAX DWR Forceful Method Invocation risk, Shulman adds, requires secure code development to eliminate exposed classes that have methods which should not be invoked by the client: "The code writing effort varies in complexity depending upon the phase of Web application deployment. Securing applications during initial development is less costly than securing existing applications. Imperva’s SecureSphere Web Application Firewall can be used to accelerate and reduce the cost of risk mitigation – especially for existing Web applications.""Whenever possible,: Shulman concludes, "Web application security logic should be implemented in server code. Server logic is less accessible to attackers and therefore less vulnerable."
YOUR FEEDBACK
LATEST AJAXWORLD RIA STORIES
SUBSCRIBE TO THE WORLD'S MOST POWERFUL NEWSLETTERS SUBSCRIBE TO OUR RSS FEEDS & GET YOUR SYS-CON NEWS LIVE!
|
SYS-CON FEATURED WHITEPAPERS MOST READ THIS WEEK |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
| | | | | | | | |
|
|
|
|
|
|
| | | | | | | | | | | | | | | | |
|
|
| SYS-CON MEDIA: | | | | |
| SYS-CON EVENTS: | | | | | |
| INTERNATIONAL SITES: | | | | | | | | | | |
 |
Terms of Use & Our Privacy Statement  About Newsfeeds / Video Feeds |
| Copyright ©1994-2008 SYS-CON Publications, Inc. All Rights Reserved. All marks are trademarks of SYS-CON Media. |
| Reproduction in whole or in part in any form or medium without express written permission of SYS-CON Publications, Inc. is prohibited. |
.gif)
(SYS-CON Media) – A significant vulnerability in the security logic of a well known open source AJAX library called DWR has been identified by the Imperva Application Defense Center.
Adobe and Intel plan to collaborate on porting Adobe’s Flash widgetry to Intel’s Media Processor CE 3100, a way to put Flash-enhanced web content and rich Flash applications on television. The chip is bound for cable set-top boxes, Blu-ray Disc players, digital TVs and retail...
Here, SYS-CON's Web 2.0 Journal has asked a selection of the industry's brightest minds what their own advice would be in these troubled times, and assembled it into a ten-point guide for software vendors, entrepreneurs, and startups to riding out a recession.
