Analysis & Solution: Security Vulnerability Discovered in DWR, Open Source Java AJAX Development Framework

By Angsuman Chakraborty, Gaea News Network
Tuesday, January 9, 2007

Security vendor Imperva has identified an access-control vulnerability in DWR, Java Open Source AJAX development framework (stable release 1.1.3 and 2.0), which it says an attacker can use to compromise a DWR based application which may in turn enable him to say break into back-end databases or servers or launch a denial-of-service-attack.

On a positive note Imperva commented that DWR, AJAX Web application development framework, is
“emerging as the lingua franca for building new generation Web 2.0 applications” :)

Forceful Method Invocation Attacks
The key issue is how DWR restricts access to not exposed class methods. DWR 1.1.3 provides a configuration option that forbids the invocation of class methods. This exclusion can be applied to some or all of a class’s methods, and it is configured in the dwr.xml file. DWR 2.0 adds an additional configuration option that includes JAVA code annotations. However, both methods enforce their restrictions only on the client side. Therefore, by manipulating HTTP requests through a proxy, excluded methods can be invoked. This also applies to public methods that are inherited from super classes.

As a consequence of the above vulnerability restricted operations may be unintentionally exposed to web users.

The solution is simple for application developers. Simply mark the methods that you don’t want to expose as private or protected. Anyone not doing so already should be expelled from Java world for lacking the minimum concepts of object oritented development :)

You can also use a Proxy to expose certain methods only.

On DWR’s side the solution would be to enforce the same restrictions on server side too, isn’t it elementary Dr. Watson?

will not be displayed