The ADC announced the discovery of a critical vulnerability in DWR (Direct Web Reporting) – a well known open source AJAX library that is incorporated into existing public Web sites. AJAX DWR includes two mechanisms that restrict access to sensitive functions (or “methods”). However, these mechanisms only affect client side code. Thus, an attacker can circumvent these restrictions using commonly available client tools (e.g. an HTTP client proxy) to manually manipulate browser requests. An exploit of this vulnerability can result in multiple damaging outcomes including data theft and denial of service.

This client-side vulnerability can be exploited to launch Denial of Service (DoS) attacks and break into back-end servers and databases.  AJAX is emerging as the new lingua franc for building new generation Web 2.0 applications such as Google Maps. Since AJAX executes a much larger proportion of application logic in the web browser than traditional web applications, it exposes a broader attack surface to client-side exploits used by attackers to target sensitive back-end servers directly.

Mitigating AJAX DWR Forceful Method Invocation risk requires secure code development to eliminate exposed classes that have methods which should not be invoked by the client. The code writing effort varies in complexity depending upon the phase of Web application deployment. Securing applications during initial development is less costly than securing existing applications. Imperva’s SecureSphere Web Application Firewall can be used to accelerate and reduce the cost of risk mitigation – especially for existing Web applications.

The ADC has published a free security advisory that details the DWR vulnerability and how to mitigate attacks. The ADC Security Advisory on the DWR vulnerability is available at: http://www.imperva.com/application_defense_center/papers/web20-ajax-dwr-...